dedecms

dedecms media_add.php后台文件任意上传漏洞修复方法

Submitted by phifans on Tue, 12/20/2022 - 10:30

 今天分享的漏洞是一个关于织梦dedecms后台文件任意上传漏洞修复方法,主要是文件/dede/media_add.php或者/你的后台名字/media_add.php。

搜索$fullfilename = $cfg_basedir.$filename;(大概在69行左右)      

替换成   if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)[^a-zA-Z0-9]+$#i', trim($filename))) { ShowMsg("你指定的文件名被系统禁止!",'javascript:;'); exit(); } 

$fullfilename = $cfg_basedir.$filename;   

然后上传修改后的文件。

dedecms上传漏洞uploadsafe.inc.php修复方法(dedecms 5.3)

Submitted by phifans on Tue, 12/20/2022 - 10:29

今天分享的漏洞是一个关于织梦dedecms上传漏洞修复方法,主要是文件/include/uploadsafe.inc.php。

      有2个地方:

      1、搜索 ${$_key.'_size'} = @filesize($$_key);      }(大概在42,43行左右)

      替换成

          ${$_key.'_size'} = @filesize($$_key);

       } $imtypes = array("image/pjpeg", "image/jpeg", "image/gif", "image/png", "image/xpng", "image/wbmp", "image/bmp"); if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes)) { $image_dd = @getimagesize($$_key); if($image_dd == false){ continue; } if (!is_array($image_dd)) { exit('Upload filetype not allow !'); } }    

dedecms上传漏洞uploadsafe.inc.php修复方法(dedecms 5.5及以上

Submitted by phifans on Tue, 12/20/2022 - 10:27

 第8行或者搜索:$cfg_not_allowall = "php|pl|cgi|asp|aspx|jsp|php3|shtm|shtml";

 

替换成$cfg_not_allowall = "php|pl|cgi|asp|aspx|jsp|php3|shtm|shtml|htm|html";

 

第二处:搜索:$image_dd = @getimagesize($$_key);

 

在下面加:if($image_dd == false){ continue; } 

如:
        $image_dd = @getimagesize($$_key);

        if($image_dd == false){ continue; } 

        if (!is_array($image_dd))

        {

            exit('Upload filetype not allow !');

        }

备注:修改前请做好备份。

dedecms安全漏洞之/include/common.inc.php漏洞解决办法

Submitted by phifans on Tue, 12/20/2022 - 10:26

 在 /include/common.inc.php  中
找到注册变量的代码

foreach(Array('_GET','_POST','_COOKIE') as $_request)
{
         foreach($$_request as $_k => $_v) ${$_k} = _RunMagicQuotes($_v);
}

修改为:

foreach(Array('_GET','_POST','_COOKIE') as $_request)
{
         foreach($$_request as $_k => $_v) {
                    if( strlen($_k)>0 && eregi('^(cfg_|GLOBALS)',$_k) ){
                            exit('Request var not allow!');
                   }
                    ${$_k} = _RunMagicQuotes($_v);
    }
}