Someone recently broke the dedecms variable coverage holes,it is also a quite interesting vulnerability, and in some cases dedecms this variable vulnerability to exist for so long in some people are many years,about six months ago I also independently discovered by
本文 c4rp3nt3r@0x50sec.org
Write in 2 0 1 1 year 5 month
DedeCMS arbitrary variable overwrite vulnerability of the use of
Dedecms variable coverage holes summary
common. inc. php for the original one-dimensional array of the$_GET of the original data is not addslashes, but for a one-dimensional array of$the$key for the addslashes, the result filter. inc. php cover again when that _RunMagicQuotes function became a paper Tiger.
2.common.inc.php
//To check and register the external submission of the variables, here only examine a one-dimensional array of key, can be bypassed to create does not allow the system configuration variables
We can use the following variable override vulnerability using the GET submit way to create a$_POST array of data, create is in check after also bypasses the check, created after the program and register into variables.
3.filter.inc.php
This file in the system configuration file, inside the foreach Loop, create a variable, so you can override the system variables.
xxx. php? site=c4rp3nt3r’s blog
经过 common.inc.php
$c4rp3nt3r=c4rp3nt3r\’s blog
经过 filter.inc.php
$c4rp3nt3r=c4rp3nt3r’s blog
The program does not allow to create cfg_ at the beginning of the variable, relying on such a defense system variables not initialized vulnerability.
common. inc. php file of the vulnerability we created system variables can trigger this vulnerability.
But some system variables have been initialized, and is in common. inc. php file foreach Loop register variables after a, that is we can create, but can not cover to
But the fun is filter. inc. php this file and conducted a foreach loop which is the secondary creation. So if you include the filter. inc. php file we can override the system variables.
在 /member 目录 的 大部分 文件 都 包含 这么 一 个 文件 /member/config.php
This file is the first two sentences is
require_once(dirname(FILE).’/../ include/common.inc.php’);
require_once(DEDEINC.’/ filter.inc.php’);
That is/member directory most of the files are affected by this vulnerability can overwrite system variables.
Other directory of file is not necessarily safe, can trigger the system variable is not initialized vulnerability.
There are two kinds of use methods
//magic_quote_gpc=Off
We submitted
xxx. php? _GET[cfg_xx]=c4rp3nt3r’s blog
经过 common.inc.php
$_GET[cfg_xx]=c4rp3nt3r\’s blog
经过 filter.inc.php
$cfg_xx=c4rp3nt3r’s blog
Submitted
xxx. php? _POST[cfg_xx]=c4rp3nt3r’s blog
//Check and registration outside the submitted variables
foreach($_REQUEST as $_k= > $_v) //here check only one-dimensional array of key, can be bypassed to create does not allow the system configuration variables
{
if( strlen($k)>0 && eregi(‘^(cfg|GLOBALS)’,$_k) ) //$_k=’_POST[cfg_xx]‘;bypassing the regular
{
exit(‘Request var not allow!’);
}
}
function _RunMagicQuotes(&$svar)
{
if(! get_magic_quotes_gpc())
{
if( is_array($svar) )
{
foreach($svar as $_k = > $_v) $svar[$_k] = _RunMagicQuotes($_v);
}
else
{
$svar = addslashes($svar);
}
}
return $svar;
}
foreach(Array(‘_GET’,'_POST’,'_COOKIE’) as $_request)
{
foreach($$_request as $_k = > $_v) ${$_k} = _RunMagicQuotes($_v);
//If submitted xxx. php? _GET[cfg_xx]=c4rp3nt3r’s blog
//Only create the$_GET[cfg_xx]but the first loop the$_GET has been performed done,only the use of the filter. inc. php foreach Loop variables to cover to create a
//If we submitted xxx. php? _POST[cfg_xx]=c4rp3nt3r’s blog
//First execution$_GET circulation only after creating a$_POST[cfg_xx],will not enter the above regular checks
//But next to the$_POST loop just in time to register for our variables$cfg_xx=c4rp3nt3r\’s blog