1. /include/filter.inc.php file, search (about 46 lines)
return $svar;
modified to
return addslashes($svar);
2. /member/mtypes.php file, search (about 71 lines) look like)
$query = "UPDATE `dede_mtypes` SET mtypename='$name' WHERE mtypeid='$id' AND mid='$cfg_ml->M_ID'";
change to
$id = intval($id); $query = "UPDATE `dede_mtypes` SET mtypename='$name' WHERE mtypeid='$id' AND mid='$cfg_ml->M_ID'";
3. /member/pm.php file, search (about 65 lines )
$row = $dsql->GetOne("SELECT * FROM `dede_member_pms` WHERE id='$id' AND (fromid='{$cfg_ml->M_ID}' OR toid='{$cfg_ml->M_ID}') ");
Modify to
$id = intval($id); $row = $dsql->GetOne("SELECT * FROM `dede_member_pms` WHERE id='$id' AND (fromid='{$cfg_ml->M_ID}' OR toid='{$cfg_ml->M_ID}')");
Fourth, /plus/guestbook/edit.inc.php file, search (about 55 lines)
$dsql->ExecuteNoneQuery("UPDATE `dede_guestbook` SET `msg`='$msg', `posttime`='" .time()."' WHERE id='$id' ");
Modify to
$msg = addslashes($msg); $dsql->ExecuteNoneQuery("UPDATE `dede_guestbook` SET `msg`='$msg', ` posttime`='".time()."' WHERE id='$id' ");
5. /plus/search.php file, search (about 109 lines)
$keyword = addslashes(cn_substr($ keyword,30));
modified to
$typeid = intval($typeid); $keyword = addslashes(cn_substr($keyword,30));
6. Search for /member/soft_add.php (about 154 lines)
搜索$urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n";
替换成
if (preg_match("#}(.*?){/dede:link}{dede:#sim", $servermsg1) != 1) { $urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n"; }
7. Cookies leakage leads to SQL vulnerability repair
1. In the /member/article_add.php file, search (about line 83)
if (empty($dede_fieldshash) || $dede_fieldshash != md5($dede_addonfields.$cfg_cookie_encode))
to
if (empty($dede_fieldshash) || ( $dede_fieldshash != md5($dede_addonfields . $cfg_cookie_encode) && $dede_fieldshash != md5($dede_addonfields . 'anythingelse' . $cfg_cookie_encode)))
2、/member/inc/inc_archives_functions.php文件,搜索(大概在239行的样子)
echo "<input type=\"hidden\" name=\"dede_fieldshash\" value=\"".md5($dede_addonfields.$cfg_cookie_encode)."\" />";
修改为
echo "<input type=\"hidden\" name=\"dede_fieldshash\" value=\"". md5($dede_addonfields . 'anythingelse' .$cfg_cookie_encode) ."\" />";