catalog
1. 漏洞描述 2. 漏洞触发条件 3. 漏洞影响范围 4. 漏洞代码分析 5. 防御方法 6. 攻防思考
1. 漏洞描述
通过该漏洞可以注入恶意代码到评论标题里,网站管理员在后台管理用户评论时触发恶意代码,直接危及到网站服务器安全
Relevant Link:
http://skyhome.cn/dedecms/367.html http://www.soushaa.com/dedecms/dede_11533.html
2. 漏洞触发条件
3. 漏洞影响范围
4. 漏洞代码分析
/plus/feedback_ajax.php
//保存评论内容 if(!empty($fid)) { $row = $dsql->GetOne("Select username,msg from `#@__feedback` where id ='$fid' "); $qmsg = '{quote}{title}'.$row['username'].' 的原帖:{/title}{content}'.$row['msg'].'{/content}{/quote}'; $msg = addslashes($qmsg).$msg; } $ischeck = ($cfg_feedbackcheck=='Y' ? 0 : 1); //未对$title进行有效的XSS过滤 $arctitle = addslashes($title); $inquery = "INSERT INTO `#@__feedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`, `mid`,`bad`,`good`,`ftype`,`face`,`msg`) VALUES ('$aid','$typeid','$username','$arctitle','$ip','$ischeck','$dtime', '{$cfg_ml->M_ID}','0','0','$feedbacktype','$face','$msg'); ";
/templets/feedback_main.htm
//未进行有效的输入XSS过滤 <u>{dede:field.arctitle/}</u>
/templets/feedback_edit
//未进行有效的输入XSS过滤 <?php echo $row['arctitle']; ?>
5. 防御方法
/plus/feedback_ajax.php
//保存评论内容 if(!empty($fid)) { $row = $dsql->GetOne("Select username,msg from `#@__feedback` where id ='$fid' "); $qmsg = '{quote}{title}'.$row['username'].' 的原帖:{/title}{content}'.$row['msg'].'{/content}{/quote}'; $msg = addslashes($qmsg).$msg; } $ischeck = ($cfg_feedbackcheck=='Y' ? 0 : 1); //未对$title进行有效的XSS过滤 //$arctitle = addslashes($title); /* 增加XSS防御逻辑 */ $arctitle = addslashes(HtmlReplace($title)); $typeid = intval($typeid); $feedbacktype = preg_replace("#[^0-9a-z]#i", "", $feedbacktype); /* */
/templets/feedback_main.htm
<u>{dede:field.arctitle function=HtmlReplace(@me)/}</u>
/templets/feedback_edit
<?php echo HtmlReplace($row['arctitle']); ?>
Relevant Link:
http://www.111cn.net/wy/Dedecms/55965.htm
6. 攻防思考
Copyright (c) 2015 LittleHann All rights reserved