Dream weaving DedeCMS select_soft_post.php arbitrary file upload vulnerability solution

Recently, many website builders found that after the Weaving Dream DedeCMS is installed on the Alibaba Cloud server, it will prompt in the Alibaba Cloud background that there is a dedecms arbitrary file upload vulnerability . The resulting file is the /include/dialog/select_soft_post.php file in the Weaving Dream installation directory.

The reason is that the file format that will cause harm to the server is not filtered out when obtaining the full file name, so we need to manually add code filtering. The specific operation method is as follows:

 

We find and open the /include/dialog/select_soft_post.php file and find the following code in it:

 

1 $fullfilename = $cfg_basedir.$activepath.'/'.$filename;

 

 

Add the following code above it:

 

1 if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)[^a-zA-Z0-9]+$#i', trim($filename))) { 2     ShowMsg("你指定的文件名被系统禁止！",'javascript:;'); 3     exit(); 4 }

 

 

After the addition is complete, save and replace the original file, and then you can go to the Alibaba Cloud background to verify the vulnerability.