Many people say dedecms good, because with more people, and more people find loopholes, and then if we can fix it, these are not a problem.
Well, we come one by one to repair. Repair method is to download the file directory, and then replace or add sections of code, upload the cover (remember to backup) After saving, this advantage is to prevent the lazy bag after use to upload and because of the different UTF8 GBK garbled, or modified it several files, then directly modify the parts are replaced, before it changed to white, find it very troublesome. If you do not search to see the number of rows, looking similar, then copy the part I marked in red to the corresponding position.
Arbitrary file upload vulnerability repair
a, / include / dialog / select_soft_post.php file search (probably like 72 rows)
$ fullfilename = $ cfg_basedir $ ActivePath '/' $ filename;...
Modified as
if (preg_match ( '# \. (php | pl | cgi | asp | aspx | jsp | php5 | php4 | php3 | shtm | shtml) [^ a-zA-Z0-9] + $ # i ', trim ($ filename))) {ShowMsg ( "you specify the file system name is prohibited!", 'javascript :;') ; exit ();.} $ fullfilename = $ cfg_basedir $ activepath '/' $ filename ;;..
Second, any background file upload vulnerability
/dede/media_add.php or / your name /media_add.php background
Search $ fullfilename = $ cfg_basedir $ filename; ( probably around 69 lines)
replaced
if (preg_match ( '# \ ( php | pl | cgi | asp | aspx | jsp | php5 | php4 | php3 | shtm | shtml). [^ a-zA-Z0-9] + $ # i ', trim ($ filename))) {ShowMsg ( " you specify a file name is prohibited system!",' javascript :; ') ; exit ();} $ fullfilename = $ cfg_basedir $ filename. ;
Three, /include/uploadsafe.inc.php (there are two places :)
1, search $ {$ _ key .'_ size ' } = @filesize ($$ _ key) ;
}
(probably in rows 42, 43)
replaced by
$ {$ _ key .'_ size' } = @filesize ($$ _ key) ;
} $ imtypes = Array ( "Image / pjpeg", "Image / JPEG", "Image / GIF", "Image / PNG", "Image / xpng", "Image / WBMP", "Image / BMP"); if (in_array (strtolower (trim ( $ {$ _ key .'_ type '})), $ imtypes)) {$ image_dd = @getimagesize ($$ _ key); if ($ image_dd == false) {continue;} if ( ! is_array ($ image_dd)) { exit ( 'Upload filetype not allow!');}}
If the article page blank page after modification, carefully review the code is more or less braces}, this file 44 line is blank no code, please note.
2, search $ image_dd = @getimagesize ($$ _ key ); ( in about 53 rows)
replace
$ image_dd = @getimagesize ($$ _ key ); if ($ image_dd == false) {continue;
The old rules place a large red mark a place to modify and save, then back up the original file, such as the file name into uploadsafe.inc.php.16.08.09.bak. And then upload the edited file.
(SQL) injection vulnerabilities repair
a, /include/filter.inc.php file search (about 46 lines in the way)
return $ svar;
modified to
return addslashes ($ svar);
two, / member / mtypes.php file, search (probably look at line 71)
$ Query = "` dede_mtypes` the SET mtypename the UPDATE = '$ name' the WHERE mtypeid = '$ ID' the AND MID = '$ cfg_ml-> M_ID' ";
modify
$ id = intval ( $ id); $ query = " UPDATE` dede_mtypes` SET mtypename = '$ name' WHERE mtypeid = '$ id' AND mid = '$ cfg_ml-> M_ID' ";
three, /member/pm.php file, search ( probably in the way of line 65)
$ $ row = dsql-> GetOne ( "the SELECT * the FROM dede_member_pms` the WHERE ID =` '$ ID' the AND (fromid = '{$ cfg_ml-> M_ID}' OR toid = '{$ cfg_ml -> M_ID} ') ") ;
modify
$ id = intval ($ id) ; $ row = $ dsql-> GetOne ( "SELECT * FROM` dede_member_pms` WHERE id = '$ id' AND (fromid = '{$ cfg_ml-> M_ID}' OR toid = '{ $ cfg_ml-> M_ID} ') " );
four, /plus/guestbook/edit.inc.php file search (probably like 55 rows)
$ dsql-> ExecuteNoneQuery (" UPDATE `` msg` dede_guestbook` the SET = '$ msg', `posttime` = '".. time () "' WHERE id = '$ id'");
modify
$ msg = addslashes ($ msg) ; $ dsql-> ExecuteNoneQuery ( "UPDATE` dede_guestbook` SET `msg` = '$ msg' ,` posttime` = ' ". time ()."' WHERE id = '$ id' ") ;;
five, /plus/search.php file search (probably in line 109 like)
$ keyword = addslashes (cn_substr ($ keyword, 30));
modified to
$ typeid = intval ($ typeid) ; $keyword = addslashes(cn_substr($keyword,30));
Six, / member / soft_add.php search (probably around 154 lines)
搜索$urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n";
替换成
if (preg_match("#}(.*?){/dede:link}{dede:#sim", $servermsg1) != 1) { $urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n"; }
Seven, cookies leak causes SQL bug fixes
1, / member / article_add.php file search (probably like 83 rows)
if (empty ($ dede_fieldshash) || $ dede_fieldshash! = MD5 ($ dede_addonfields. $ Cfg_cookie_encode))
modified as
if (empty ($ dede_fieldshash) || ($ dede_fieldshash! = md5 ( $ dede_addonfields. $ cfg_cookie_encode) && $ dede_fieldshash! = md5 ($ dede_addonfields. 'anythingelse'. $ cfg_cookie_encode)))
2、/member/inc/inc_archives_functions.php文件,搜索(大概在239行的样子)
echo "<input type=\"hidden\" name=\"dede_fieldshash\" value=\"".md5($dede_addonfields.$cfg_cookie_encode)."\" />";
修改为
echo "<input type=\"hidden\" name=\"dede_fieldshash\" value=\"". md5($dede_addonfields . 'anythingelse' .$cfg_cookie_encode) ."\" />";
SESSION variables covering lead to SQL injection vulnerabilities
include / common.inc.php file search (about 68 lines in the way)
if( strlen($svar)>0 && preg_match('#^(cfg_|GLOBALS|_GET|_POST|_COOKIE)#',$svar) )
修改为
if( strlen($svar)>0 && preg_match('#^(cfg_|GLOBALS|_GET|_POST|_COOKIE|_SESSION)#',$svar) )
Payment Module Injection Vulnerability
include / payment / alipay.php file search (probably look at the 137 line)
$ order_sn = TRIM ($ _ the GET [ 'out_trade_no']);
modify
$ order_sn = trim (addslashes ($ _ GET [ 'out_trade_no'])) ;;
Variable is initialized lead to a local variable injection
/include/dedesql.class.php file search (line 590 probably like)
IF (isset ($ GLOBALS [ 'arrs1']))
modified to
$ arrs1 = array (); $ arrs2 = array (); if ( isset ($ GLOBALS [ 'arrs1' ]))
if defined earlier $ arrs1 or $ arrs2, adjust the ratio of the code.
So far, dedecms encyclopedia contains bug fixes and arbitrary file upload vulnerability injection vulnerability (5.7 onwards) on the modification is completed.