DedeCMSV53 arbitrary variable overwrite vulnerability-vulnerability warning-the black bar safety net

2009-05-29T00:00:00
ID MYHACK58:62200923385
Type myhack58
Reporter 佚名
Modified 2009-05-29T00:00:00

Description

DedeCMSV53 arbitrary variable overwrite vulnerability

See today mr_xhming students a articles http://hi.baidu.com/mr_xhming/blog/item/8176f00bf540f11795ca6b3f.html find this old BUG hasn't been patched to look like, from the inside of the forum go a pp out of it, everyone is welcome to shoot the bricks

DedeCMSV53 arbitrary variable overwrite vulnerability

BY flyh4t http://www.wolvez.org 2008-12-12

DedeCMSV53 released, but still not the variable coverage holes completely patched. This vulnerability and ryat that is very similar :) Look at the core file include/common. inc. in php code

PHP code //Check and registration outside the submitted variables foreach($REQUEST as $_k= > $_v) { if( strlen($_k)>0 && eregi('^(|cfg_|GLOBALS)',$_k) && ! isset($_COOKIE[$_k]) )//programmer logical confusion? { exit('Request var not allow!'); } }

This place can be by submitting COOKIE variable bypass cfg, etc. keyword filtering Then register the variable in the code

PHP code foreach(Array('_GET','_POST','_COOKIE') as $_request) { foreach($$_request as $_k = > $_v) ${$_k} = _RunMagicQuotes($_v); }

Then initialize the variables

//Database configuration file require_once(DEDEDATA.'/ common.inc.php');

//The system configuration parameters require_once(DEDEDATA."/ config.cache.inc.php");seemingly can not use, but fortunately at the end of the file there is this code

//Convert the uploaded file related variables and security processing, and a reference reception generic upload function if($_FILES) { require_once(DEDEINC.'/ uploadsafe.inc.php'); }And then see uploadsafe. inc. php provides us with what

PHP code $keyarr = array('name','type','tmp_name','size');

foreach($_FILES as $ _ key=>$_value) { foreach($keyarr as $k) { if(! isset($_FILES [$_key][$k])) { exit('Request Error!'); } } $$ _ Key = $_FILES [$_key]['tmp_name'] = str_replace("\\\\","\\",$_FILES [$_key]['tmp_name']); //Note that this place, by common. inc. php vulnerability, we can control$_FILES [$_key]['tmp_name'] Here by submit similar common. inc. php? _FILES[cfg_xxxx][tmp_name] =aaaaaa&...... To cover cfg_xxxx Use the time to pay attention to the cookie assignment, at the same time to bypass the uploadsafe. inc. php inside of some judgment