DEDECMS Session variable overwrite causes SQL injection Vulnerability Patching scenario

Tag: Get BSP ALS Operation search color causes database connection Webshell

Dedecms/plus/advancedsearch.php, directly from $_session[$sqlhash] get the value as $query into the SQL query, the exploit premise is Session.auto_start = 1 The automatic session is started.

Harm:

1. Hackers can use this vulnerability to redefine a database connection.

2. Through this vulnerability to a variety of ultra-vires operation construction vulnerabilities directly written to the Webshell backdoor.

The Cloud Shield team has a universal unified defense in the DEDEMCS variable registration portal, which prohibits the entry of session variables, and fixes the following methods:

Open/mnt/www/xiaoshuo/include/common.inc.php file with a text editor

First, search the following string

(cfg_| Globals|_get|_post| _cookie)  To be replaced by (Cfg_| globals|_get|_post|_cookie| _session)  

There are two places ' can be replaced '

Second, search the following code:

    foreach(Array ('_get','_post','_cookie') as$_request) {        foreach($_request as$_k =$_v) {                        if($_k = ='Nvarname') ${$_k} =$_v; Else${$_k} =_runmagicquotes ($_V); }

To be replaced by:

foreach(Array ('_get','_post','_cookie') as$_request) {         foreach($_request as$_k =$_v) {                    if(strlen ($_k) >0&& eregi ('^ (cfg_| GLOBALS)', $_k)) {Exit ('Request var not allow!'); } ${$_k}=_runmagicquotes ($_V); }}

Such a session variable overwrite causes the SQL injection vulnerability to be resolved!

DEDECMS Session variable overwrite causes SQL injection Vulnerability Patching scenario