About Dedecms variable coverage exploits-vulnerability warning-the black bar safety net

ID MYHACK58:62201131560
Type myhack58
Reporter 佚名
Modified 2011-08-12T00:00:00


Someone recently broke the dedecms variable coverage holes,it is also a quite interesting vulnerability, and in some cases dedecms this variable vulnerability to exist for so long in some people are many years,about six months ago I also independently discovered by

本文 c4rp3nt3r@0x50sec.org

Write in 2 0 1 1 year 5 month

DedeCMS arbitrary variable overwrite vulnerability of the use of

Dedecms variable coverage holes summary

  1. On magic_quotes_gpc=Off

common. inc. php for the original one-dimensional array of the$_GET of the original data is not addslashes, but for a one-dimensional array of$the$key for the addslashes, the result filter. inc. php cover again when that _RunMagicQuotes function became a paper Tiger.


//To check and register the external submission of the variables, here only examine a one-dimensional array of key, can be bypassed to create does not allow the system configuration variables

We can use the following variable override vulnerability using the GET submit way to create a$_POST array of data, create is in check after also bypasses the check, created after the program and register into variables.


This file in the system configuration file, inside the foreach Loop, create a variable, so you can override the system variables.

  1. On magic_quotes_gpc=off when you can bypass the _RunMagicQuotes of filtering!

xxx. php? site=c4rp3nt3r’s blog

经过 common.inc.php

$c4rp3nt3r=c4rp3nt3r\’s blog

经过 filter.inc.php

$c4rp3nt3r=c4rp3nt3r’s blog

  1. Create a system variable

The program does not allow to create cfg_ at the beginning of the variable, relying on such a defense system variables not initialized vulnerability.

common. inc. php file of the vulnerability we created system variables can trigger this vulnerability.

But some system variables have been initialized, and is in common. inc. php file foreach Loop register variables after a, that is we can create, but can not cover to

But the fun is filter. inc. php this file and conducted a foreach loop which is the secondary creation. So if you include the filter. inc. php file we can override the system variables.

在 /member 目录 的 大部分 文件 都 包含 这么 一 个 文件 /member/config.php

This file is the first two sentences is

require_once(dirname(FILE).’/../ include/common.inc.php’);

require_once(DEDEINC.’/ filter.inc.php’);

That is/member directory most of the files are affected by this vulnerability can overwrite system variables.

Other directory of file is not necessarily safe, can trigger the system variable is not initialized vulnerability.

There are two kinds of use methods

  1. Depends on common. inc. php variable is created and the filter. inc. php variable coverage


We submitted

xxx. php? _GET[cfg_xx]=c4rp3nt3r’s blog

经过 common.inc.php

$_GET[cfg_xx]=c4rp3nt3r\’s blog

经过 filter.inc.php

$cfg_xx=c4rp3nt3r’s blog

  1. Depends on common. inc. php variables creation


xxx. php? _POST[cfg_xx]=c4rp3nt3r’s blog

//Check and registration outside the submitted variables

foreach($_REQUEST as $_k= > $_v) //here check only one-dimensional array of key, can be bypassed to create does not allow the system configuration variables


if( strlen($k)>0 && eregi(‘^(cfg|GLOBALS)’,$_k) ) //$_k=’_POST[cfg_xx]‘;bypassing the regular


exit(‘Request var not allow!’);



function _RunMagicQuotes(&$svar)


if(! get_magic_quotes_gpc())


if( is_array($svar) )


foreach($svar as $_k = > $_v) $svar[$_k] = _RunMagicQuotes($_v);




$svar = addslashes($svar);



return $svar;


foreach(Array(‘_GET’,'_POST’,'_COOKIE’) as $_request)


foreach($$_request as $_k = > $_v) ${$_k} = _RunMagicQuotes($_v);

//If submitted xxx. php? _GET[cfg_xx]=c4rp3nt3r’s blog

//Only create the$_GET[cfg_xx]but the first loop the$_GET has been performed done,only the use of the filter. inc. php foreach Loop variables to cover to create a

//If we submitted xxx. php? _POST[cfg_xx]=c4rp3nt3r’s blog

//First execution$_GET circulation only after creating a$_POST[cfg_xx],will not enter the above regular checks

//But next to the$_POST loop just in time to register for our variables$cfg_xx=c4rp3nt3r\’s blog