{"id": "MYHACK58:62201131560", "hash": "7577a467ee80affc9acb991deadf4fbdbcbaa892d535c01a490a54079bfa8d9a", "history": [], "published": "2011-08-12T00:00:00", "hashmap": [{"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "d4be9c4fc84262b4f39f89565918568f", "key": "cvss"}, {"hash": "ba85cc83534bc798464d905bb29c199f", "key": "description"}, {"hash": "282e650f3afe3c07047efec840035428", "key": "href"}, {"hash": "44ab3dcc00fb35c0e0325511299d1aaf", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "44ab3dcc00fb35c0e0325511299d1aaf", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "645396391020478112635e14b34a0f8b", "key": "reporter"}, {"hash": "92e215fdec6faf609a3b3f0cab55f961", "key": "title"}, {"hash": "0665a8b0792e65b50ab13aef58a018dc", "key": "type"}], "type": "myhack58", "objectVersion": "1.2", "references": [], "edition": 1, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [], "modified": "2016-11-12T18:13:01"}, "vulnersScore": 5.0}, "cvelist": [], "modified": "2011-08-12T00:00:00", "title": "About Dedecms variable coverage exploits-vulnerability warning-the black bar safety net", "viewCount": 0, "description": "Someone recently broke the dedecms variable coverage holes,it is also a quite interesting vulnerability, and in some cases dedecms this variable vulnerability to exist for so long in some people are many years,about six months ago I also independently discovered by\n\n\u672c\u6587 c4rp3nt3r@0x50sec.org\n\nWrite in 2 0 1 1 year 5 month\n\nDedeCMS arbitrary variable overwrite vulnerability of the use of\n\nDedecms variable coverage holes summary\n\n1. On magic_quotes_gpc=Off\n\ncommon. inc. php for the original one-dimensional array of the$_GET of the original data is not addslashes, but for a one-dimensional array of$the$key for the addslashes, the result filter. inc. php cover again when that _RunMagicQuotes function became a paper Tiger.\n\n2.common.inc.php\n\n//To check and register the external submission of the variables, here only examine a one-dimensional array of key, can be bypassed to create does not allow the system configuration variables\n\nWe can use the following variable override vulnerability using the GET submit way to create a$_POST array of data, create is in check after also bypasses the check, created after the program and register into variables.\n\n3.filter.inc.php\n\nThis file in the system configuration file, inside the foreach Loop, create a variable, so you can override the system variables.\n\n1. On magic_quotes_gpc=off when you can bypass the _RunMagicQuotes of filtering!\n\nxxx. php? site=c4rp3nt3r\u2019s blog\n\n\u7ecf\u8fc7 common.inc.php\n\n$c4rp3nt3r=c4rp3nt3r\\\u2019s blog\n\n\u7ecf\u8fc7 filter.inc.php\n\n$c4rp3nt3r=c4rp3nt3r\u2019s blog\n\n2. Create a system variable\n\nThe program does not allow to create cfg_ at the beginning of the variable, relying on such a defense system variables not initialized vulnerability.\n\ncommon. inc. php file of the vulnerability we created system variables can trigger this vulnerability.\n\nBut some system variables have been initialized, and is in common. inc. php file foreach Loop register variables after a, that is we can create, but can not cover to\n\nBut the fun is filter. inc. php this file and conducted a foreach loop which is the secondary creation. So if you include the filter. inc. php file we can override the system variables.\n\n\u5728 /member \u76ee\u5f55 \u7684 \u5927\u90e8\u5206 \u6587\u4ef6 \u90fd \u5305\u542b \u8fd9\u4e48 \u4e00 \u4e2a \u6587\u4ef6 /member/config.php\n\nThis file is the first two sentences is\n\nrequire_once(dirname(__FILE__).\u2019/../ include/common.inc.php\u2019);\n\nrequire_once(DEDEINC.\u2019/ filter.inc.php\u2019);\n\nThat is/member directory most of the files are affected by this vulnerability can overwrite system variables.\n\nOther directory of file is not necessarily safe, can trigger the system variable is not initialized vulnerability.\n\nThere are two kinds of use methods\n\n1. Depends on common. inc. php variable is created and the filter. inc. php variable coverage\n\n//magic_quote_gpc=Off\n\nWe submitted\n\nxxx. php? _GET[cfg_xx]=c4rp3nt3r\u2019s blog\n\n\u7ecf\u8fc7 common.inc.php\n\n$_GET[cfg_xx]=c4rp3nt3r\\\u2019s blog\n\n\u7ecf\u8fc7 filter.inc.php\n\n$cfg_xx=c4rp3nt3r\u2019s blog\n\n2. Depends on common. inc. php variables creation\n\nSubmitted\n\nxxx. php? _POST[cfg_xx]=c4rp3nt3r\u2019s blog\n\n//Check and registration outside the submitted variables\n\nforeach($_REQUEST as $_k= > $_v) //here check only one-dimensional array of key, can be bypassed to create does not allow the system configuration variables\n\n{\n\nif( strlen($_k)>0 && eregi(\u2018^(cfg_|GLOBALS)\u2019,$_k) ) //$_k=\u2019_POST[cfg_xx]\u2018;bypassing the regular\n\n{\n\nexit(\u2018Request var not allow!\u2019);\n\n}\n\n}\n\nfunction _RunMagicQuotes(&$svar)\n\n{\n\nif(! get_magic_quotes_gpc())\n\n{\n\nif( is_array($svar) )\n\n{\n\nforeach($svar as $_k = > $_v) $svar[$_k] = _RunMagicQuotes($_v);\n\n}\n\nelse\n\n{\n\n$svar = addslashes($svar);\n\n}\n\n}\n\nreturn $svar;\n\n}\n\nforeach(Array(\u2018_GET\u2019,'_POST\u2019,'_COOKIE\u2019) as $_request)\n\n{\n\nforeach($$_request as $_k = > $_v) ${$_k} = _RunMagicQuotes($_v);\n\n//If submitted xxx. php? _GET[cfg_xx]=c4rp3nt3r\u2019s blog\n\n//Only create the$_GET[cfg_xx]but the first loop the$_GET has been performed done,only the use of the filter. inc. php foreach Loop variables to cover to create a\n\n//If we submitted xxx. php? _POST[cfg_xx]=c4rp3nt3r\u2019s blog\n\n//First execution$_GET circulation only after creating a$_POST[cfg_xx],will not enter the above regular checks\n\n//But next to the$_POST loop just in time to register for our variables$cfg_xx=c4rp3nt3r\\\u2019s blog\n", "href": "http://www.myhack58.com/Article/html/3/62/2011/31560.htm", "bulletinFamily": "info", "reporter": "\u4f5a\u540d", "cvss": {"vector": "NONE", "score": 0.0}, "lastseen": "2016-11-12T18:13:01"}

{}