Weave a dream(Dedecms)V5. X local file inclusion vulnerability-vulnerability warning-the black bar safety net

2013-03-31T00:00:00
ID MYHACK58:62201338051
Type myhack58
Reporter 佚名
Modified 2013-03-31T00:00:00

Description

Release time: 2013-03-29 (GMT+0 8 0 0)

Vulnerability version:

DedeCms 5. x

Vulnerability description:

DedeCms is a free PHP web content management system.

plus/carbuyaction. php has no variable strict filtering

Vulnerabilities of the two files is: Include/payment/alipay.php Include/payment/yeepay.php Vulnerabilities are present in the respond method.

Include/payment/alipay.php

  1. ......
  2. function respond()
  3. {
  4. if (! empty($_POST))
  5. {
  6. foreach($_POST as $key => $data)
  7. {
  8. $_GET[$key] = $data;
  9. } 1 0. } 1 1. / Introduced a configuration file / 1 2. require_once DEDEDATA.'/ payment/'.$ _GET['code'].'. php'; 1 3. ......

Probably in the 1 3 3 rows or so,$_GET[‘code’]without any judgment and filtering. Include/payment/yeepay.php

  1. ......
  2. function respond()
  3. {
  4. / Introduced a configuration file /
  5. require_once DEDEDATA.'/ payment/'.$ _REQUEST['code'].'. php';
  6. $p1_MerId = trim($payment['yp_account']);
  7. $merchantKey = trim($payment['yp_key']); 1 0. ......

Probably in the 1 4 5 line or so,$_REQUEST['code']without any judgment and filtering.

<* reference

> http://bugscan.net/manage/node/83 http://www.cnseay.com/2515/

*>

Test method:

  1. http://www. dedecms. com/plus/carbuyaction. php? dopost=return&code=../../tags above the Exp is contained under the root directory of the tags. php file contains additional suffixes invited to construct their own truncated, use exp test when you need to add a code is equal to alipay, or yeepay cookie
  2. Due to the bank and cod these two documents did not respond, so if the code is equal to the bank or cod when will Blizzard fault leakage path

Repair method:

The current vendor has not provided the patch or upgrade process, we recommend the use of this software users follow the manufacturer's home page to get the latest version: http://www.dedecms.com/products/dedecms/

Temporary fix: 1)Include/payment/alipay.php Probably 1 3 3 line or so require_once DEDEDATA.'/ payment/'.$ _GET['code'].'. php'; Replacement require_once DEDEDATA.'/ payment/'. basename($_GET['code']).'. php'; 2) Include/payment/yeepay.php Probably in the 1 4 5 line or so require_once DEDEDATA.'/ payment/'.$ _REQUEST['code'].'. php'; Replacement require_once DEDEDATA.'/ payment/'. basename($_REQUEST['code']).'. php';