diff --git a/src/dede/co_export.php b/src/dede/co_export.php
index bffcdf0..8ae2149 100755
--- a/src/dede/co_export.php
+++ b/src/dede/co_export.php
@@ -4,7 +4,7 @@
*
* @version $Id: co_edit_text.php 1 14:31 2010年7月12日Z tianya $
* @package DedeCMS.Administrator
- * @copyright Copyright (c) 2007 - 2020, DesDev, Inc.
+ * @copyright Copyright (c) 2007 - 2010, DesDev, Inc.
* @license http://help.dedecms.com/usersguide/license.html
* @link http://www.dedecms.com
*/
@@ -217,7 +217,8 @@ else
$mainSql = str_replace('@sortrank@', $sortrank, $mainSql);
$mainSql = str_replace('@pubdate@', $pubdate, $mainSql);
$mainSql = str_replace('@senddate@', $senddate, $mainSql);
- $mainSql = str_replace('@title@', cn_substr($title, 60), $mainSql);
+ $mainSql = str_replace('@title@', cn_substr($title, $cfg_title_maxlen), $mainSql);
+ //$mainSql = str_replace('@title@', cn_substr($title, 60), $mainSql); 原来的语句,采集的文章导出到栏目后标题不全
$addSql = str_replace('@sortrank@', $sortrank, $addSql);
$addSql = str_replace('@senddate@', $senddate, $addSql);
diff --git a/src/dede/media_add.php b/src/dede/media_add.php
index abf0b01..515942c 100755
--- a/src/dede/media_add.php
+++ b/src/dede/media_add.php
@@ -4,7 +4,7 @@
*
* @version $Id: media_add.php 2 15:25 2011-6-2 tianya $
* @package DedeCMS.Administrator
- * @copyright Copyright (c) 2007 - 2020, DesDev, Inc.
+ * @copyright Copyright (c) 2007 - 2010, DesDev, Inc.
* @license http://help.dedecms.com/usersguide/license.html
* @link http://www.dedecms.com
*/
@@ -67,6 +67,11 @@ if($dopost=="upload")
MkdirAll($cfg_basedir.$savePath,777);
CloseFtp();
}
+ /*
+ dedecms后台文件任意上传漏洞
+ 漏洞描述:dedecms早期版本后台存在大量的富文本编辑器,该控件提供了一些文件上传接口,同时dedecms对上传文件的后缀类型未进行严格的限制,这导致了黑客可以上传WEBSHELL,获取网站后台权限。
+ */
+ if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)[^a-zA-Z0-9]+$#i', trim($filename))) { ShowMsg("你指定的文件名被系统禁止!"); exit(); }
$fullfilename = $cfg_basedir.$filename;
if($mediatype==1)
{
diff --git a/src/include/uploadsafe.inc.php b/src/include/uploadsafe.inc.php
index 2338a01..ccc561e 100755
--- a/src/include/uploadsafe.inc.php
+++ b/src/include/uploadsafe.inc.php
@@ -1,13 +1,4 @@
$_value)
${$_key.'_name'} = $_FILES[$_key]['name'];
${$_key.'_type'} = $_FILES[$_key]['type'] = preg_replace('#[^0-9a-z\./]#i', '', $_FILES[$_key]['type']);
${$_key.'_size'} = $_FILES[$_key]['size'] = preg_replace('#[^0-9]#','',$_FILES[$_key]['size']);
-
- if (is_array(${$_key.'_name'})) {
- if (count(${$_key.'_name'}) > 0) {
- foreach (${$_key.'_name'} as $key => $value) {
- if (!empty($value) && (preg_match("#\.(".$cfg_not_allowall.")$#i", $value) || !preg_match("#\.#", $value))) {
- if(!defined('DEDEADMIN'))
- {
- exit('Not Admin Upload filetype not allow !');
- }
- }
- }
- }
- } else {
- if(!empty(${$_key.'_name'}) && (preg_match("#\.(".$cfg_not_allowall.")$#i",${$_key.'_name'}) || !preg_match("#\.#", ${$_key.'_name'})) )
+ if(!empty(${$_key.'_name'}) && (preg_match("#\.(".$cfg_not_allowall.")$#i",${$_key.'_name'}) || !preg_match("#\.#", ${$_key.'_name'})) )
+ {
+ if(!defined('DEDEADMIN'))
{
- if(!defined('DEDEADMIN'))
- {
- exit('Not Admin Upload filetype not allow !');
- }
+ exit('Not Admin Upload filetype not allow !');
}
}
-
-
if(empty(${$_key.'_size'}))
{
- ${$_key.'_size'} = @filesize($$_key);
+ ${$_key.'_size'} = @filesize($$_key);
}
+ $imtypes = array("image/pjpeg", "image/jpeg", "image/gif", "image/png", "image/xpng", "image/wbmp", "image/bmp"); if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes)) { $image_dd = @getimagesize($$_key); if($image_dd == false){ continue; } if (!is_array($image_dd)) { exit('Upload filetype not allow !'); } }
$imtypes = array
(
@@ -75,30 +49,13 @@ foreach($_FILES as $_key=>$_value)
"image/xpng", "image/wbmp", "image/bmp"
);
- if (is_array(${$_key.'_type'})) {
- if (count(${$_key.'_type'}) > 0) {
- foreach (${$_key.'_type'} as $key => $value) {
- if(in_array(strtolower(trim($value)), $imtypes))
- {
- $image_dd = @getimagesize($$_key);
- if (!is_array($image_dd))
- {
- exit('Upload filetype not allow !');
- }
- }
- }
- }
- } else {
- if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes))
+ if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes))
+ {
+ $image_dd = @getimagesize($$_key); if($image_dd == false){ continue; }
+ if (!is_array($image_dd))
{
- $image_dd = @getimagesize($$_key);
- if (!is_array($image_dd))
- {
- exit('Upload filetype not allow !');
- }
+ exit('Upload filetype not allow !');
}
}
-
-
}
?>
\ No newline at end of file
diff --git a/src/member/album_add.php b/src/member/album_add.php
index 3452646..5ca3e71 100755
--- a/src/member/album_add.php
+++ b/src/member/album_add.php
@@ -4,7 +4,7 @@
*
* @version $Id: album_add.php 1 13:52 2010年7月9日Z tianya $
* @package DedeCMS.Member
- * @copyright Copyright (c) 2007 - 2020, DesDev, Inc.
+ * @copyright Copyright (c) 2007 - 2010, DesDev, Inc.
* @license http://help.dedecms.com/usersguide/license.html
* @link http://www.dedecms.com
*/
@@ -217,7 +217,8 @@ else if($dopost=='save')
ShowMsg("无法获得主键,因此无法进行后续操作!","-1");
exit();
}
- $description = HtmlReplace($description, -1);
+ $description = HtmlReplace($description, -1);//2011.06.30 增加html过滤 (by:织梦的鱼)
+ $mtypesid = intval($mtypesid); //对输入参数mtypesid未进行int整型转义,导致SQL注入的发生。
//保存到主表
$inQuery = "INSERT INTO `#@__archives`(id,typeid,sortrank,flag,ismake,channel,arcrank,click,money,title,shorttitle,
color,writer,source,litpic,pubdate,senddate,mid,description,keywords,mtype)
diff --git a/src/member/article_add.php b/src/member/article_add.php
index 72f2336..5229a6f 100755
--- a/src/member/article_add.php
+++ b/src/member/article_add.php
@@ -4,7 +4,7 @@
*
* @version $Id: article_add.php 1 8:38 2010年7月9日Z tianya $
* @package DedeCMS.Member
- * @copyright Copyright (c) 2007 - 2020, DesDev, Inc.
+ * @copyright Copyright (c) 2007 - 2010, DesDev, Inc.
* @license http://help.dedecms.com/usersguide/license.html
* @link http://www.dedecms.com
*/
@@ -80,7 +80,7 @@ else if($dopost=='save')
}
}
- if (empty($dede_fieldshash) || $dede_fieldshash != md5($dede_addonfields.$cfg_cookie_encode))
+ if (empty($dede_fieldshash) || ( $dede_fieldshash != md5($dede_addonfields . $cfg_cookie_encode) && $dede_fieldshash != md5($dede_addonfields . 'anythingelse' . $cfg_cookie_encode)) )
{
showMsg('数据校验不对,程序返回', '-1');
exit();
diff --git a/src/member/inc/archives_check_edit.php b/src/member/inc/archives_check_edit.php
index b5b83ec..95ae9e6 100755
--- a/src/member/inc/archives_check_edit.php
+++ b/src/member/inc/archives_check_edit.php
@@ -4,7 +4,7 @@
*
* @version $Id: archives_check_edit.php 1 13:52 2010年7月9日Z tianya $
* @package DedeCMS.Member
- * @copyright Copyright (c) 2007 - 2020, DesDev, Inc.
+ * @copyright Copyright (c) 2007 - 2010, DesDev, Inc.
* @license http://help.dedecms.com/usersguide/license.html
* @link http://www.dedecms.com
*/
@@ -89,5 +89,5 @@ if($litpic != '')
}
else
{
- $litpic =$oldlitpic;
+ $litpic =$oldlitpic; if (strpos( $litpic, '..') !== false || strpos( $litpic, $cfg_user_dir."/{$userid}/" ) === false) exit('not allowed path!');
}
\ No newline at end of file
diff --git a/src/member/inc/inc_archives_functions.php b/src/member/inc/inc_archives_functions.php
index 3ad4207..70175e7 100755
--- a/src/member/inc/inc_archives_functions.php
+++ b/src/member/inc/inc_archives_functions.php
@@ -4,7 +4,7 @@
*
* @version $Id: inc_archives_functions.php 1 13:52 2010年7月9日Z tianya $
* @package DedeCMS.Member
- * @copyright Copyright (c) 2007 - 2020, DesDev, Inc.
+ * @copyright Copyright (c) 2007 - 2010, DesDev, Inc.
* @license http://help.dedecms.com/usersguide/license.html
* @link http://www.dedecms.com
*/
@@ -236,7 +236,7 @@ function PrintAutoFieldsAdd(&$fieldset, $loadtype='all', $isprint=TRUE)
}
}
if ($isprint) echo "\r\n";
- echo "";
+ echo "";
// 增加一个返回
return $addonfieldsname;
}
diff --git a/src/member/soft_add.php b/src/member/soft_add.php
index 8926aa8..924974c 100755
--- a/src/member/soft_add.php
+++ b/src/member/soft_add.php
@@ -148,11 +148,10 @@ VALUES ('$arcID','$typeid','$sortrank','$flag','$ismake','$channelid','$arcrank'
//软件链接列表
$softurl1 = stripslashes($softurl1);
$softurl1 = str_replace(array("{dede:","{/dede:","}"), "#", $softurl1);
- $servermsg1 = str_replace(array("{dede:","{/dede:","}"), "#", $servermsg1);
$urls = '';
if($softurl1!='')
{
- $urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n";
+ if (preg_match("#}(.*?){/dede:link}{dede:#sim", $servermsg1) != 1) { $urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n"; }
}
for($i=2; $i<=12; $i++)
{
@@ -161,7 +160,6 @@ VALUES ('$arcID','$typeid','$sortrank','$flag','$ismake','$channelid','$arcrank'
$servermsg = str_replace("'","",stripslashes(${'servermsg'.$i}));
$softurl = stripslashes(${'softurl'.$i});
$softurl = str_replace(array("{dede:","{/dede:","}"), "#", $softurl);
- $servermsg = str_replace(array("{dede:","{/dede:","}"), "#", $servermsg);
if($servermsg=='')
{
$servermsg = '下载地址'.$i;
@@ -198,7 +196,7 @@ VALUES ('$arcID','$typeid','$sortrank','$flag','$ismake','$channelid','$arcrank'
$dsql->ExecuteNoneQuery("DELETE FROM `#@__arctiny` WHERE id='$arcID'");
echo $inQuery;
exit();
- ShowMsg("把数据保存到数据库附加表 `{$addtable}` 时出错,请把相关信息提交给DedeCMS官方。".str_replace('"','',$gerr),"javascript:;");
+ ShowMsg("把数据保存到数据库附加表 `{$addtable}` 时出错,请把相关信息提交给DedeCms官方。".str_replace('"','',$gerr),"javascript:;");
exit();
}
diff --git a/src/plus/guestbook/edit.inc.php b/src/plus/guestbook/edit.inc.php
index 0e957d7..b612c3b 100755
--- a/src/plus/guestbook/edit.inc.php
+++ b/src/plus/guestbook/edit.inc.php
@@ -52,6 +52,10 @@ else if($job=='editok')
}
}
$msg = HtmlReplace($msg, -1);
+ /*
+ 漏洞描述:dedecms留言板注入漏洞。
+ */
+ $msg = addslashes($msg);
$dsql->ExecuteNoneQuery("UPDATE `#@__guestbook` SET `msg`='$msg', `posttime`='".time()."' WHERE id='$id' ");
ShowMsg("成功更改或回复一条留言!", $GUEST_BOOK_POS);
exit();
@@ -66,4 +70,4 @@ else
{
$row = $dsql->GetOne("SELECT id,title FROM `#@__guestbook` WHERE id='$id'");
require_once(DEDETEMPLATE.'/plus/guestbook-user.htm');
-}
\ No newline at end of file
+}