catalog
. 漏洞描述
. 漏洞触发条件
. 漏洞影响范围
. 漏洞代码分析
. 防御方法
. 攻防思考
1. 漏洞描述
通过该漏洞可以注入恶意代码到评论标题里,网站管理员在后台管理用户评论时触发恶意代码,直接危及到网站服务器安全
Relevant Link:
http://skyhome.cn/dedecms/367.html
http://www.soushaa.com/dedecms/dede_11533.html
2. 漏洞触发条件
3. 漏洞影响范围
4. 漏洞代码分析
/plus/feedback_ajax.php
//保存评论内容
if(!empty($fid))
{
$row = $dsql->GetOne("Select username,msg from `#@__feedback` where id ='$fid' ");
$qmsg = '{quote}{title}'.$row['username'].' 的原帖:{/title}{content}'.$row['msg'].'{/content}{/quote}';
$msg = addslashes($qmsg).$msg;
}
$ischeck = ($cfg_feedbackcheck=='Y' ? : );
//未对$title进行有效的XSS过滤
$arctitle = addslashes($title);
$inquery = "INSERT INTO `#@__feedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`, `mid`,`bad`,`good`,`ftype`,`face`,`msg`)
VALUES ('$aid','$typeid','$username','$arctitle','$ip','$ischeck','$dtime', '{$cfg_ml->M_ID}','','','$feedbacktype','$face','$msg'); ";
/templets/feedback_main.htm
//未进行有效的输入XSS过滤
<u>{dede:field.arctitle/}</u>
/templets/feedback_edit
//未进行有效的输入XSS过滤
<?php echo $row['arctitle']; ?>
5. 防御方法
/plus/feedback_ajax.php
//保存评论内容
if(!empty($fid))
{
$row = $dsql->GetOne("Select username,msg from `#@__feedback` where id ='$fid' ");
$qmsg = '{quote}{title}'.$row['username'].' 的原帖:{/title}{content}'.$row['msg'].'{/content}{/quote}';
$msg = addslashes($qmsg).$msg;
}
$ischeck = ($cfg_feedbackcheck=='Y' ? : );
//未对$title进行有效的XSS过滤
//$arctitle = addslashes($title);
/* 增加XSS防御逻辑 */
$arctitle = addslashes(HtmlReplace($title));
$typeid = intval($typeid);
$feedbacktype = preg_replace("#[^0-9a-z]#i", "", $feedbacktype);
/* */
/templets/feedback_main.htm
<u>{dede:field.arctitle function=HtmlReplace(@me)/}</u>
/templets/feedback_edit
<?php echo HtmlReplace($row['arctitle']); ?>
Relevant Link:
http://www.111cn.net/wy/Dedecms/55965.htm
6. 攻防思考
Copyright (c) 2015 LittleHann All rights reserved