Shopex post Remote code execution vulnerability Repair patch

Shopex released a single store version of V4.7.1 KS47103 fixed a remote code execution vulnerability. After receiving the vulnerability report (Shopex Remote Code Execution Vulnerability), the Shopex technician responded quickly and completed the patch production test and release work within 30 minutes.

The vulnerability was caused by an unsafe global variable registration mechanism in early PHP, although PHP cancelled the mechanism more than 5 years ago, but some servers have been configured to open the mechanism. As a result, this vulnerability only occurs in the case of a small and managed host business that is not securely configured for the server.

Although the majority of Shopex users do not have this vulnerability, but still please shopex users immediately to play the patch.

Related instructions:

Patch Download method: Users can log in to the store background desktop "Upgrade Information" column to see and download the use of the patch.

No patches seen backstage? That should be you to the root directory below the version.txt file deleted, upload up on it again.

Patch Upgrade Method: The download of the patch package uncompressed, binary way upload patch file to the server corresponding directory coverage of the original file;
Note must be binary upload, otherwise will appear Fatal error:unable to read 10790 bytes in/home/public_html/... and other errors.

Patch Package Content:
• Fixed remote code execution vulnerabilities
• Revised front desk to send to friends function
• Fix the problem of verification code in some server environment
• Fix store message link address resolution issues
• Fixed NPS gateway return issue
• Fixed Shopex customer service document
• Some other detail optimization and page display corrections

Patch Download Address:
Http://update.shopex.com.cn/version/program/KS47103.zip

After detection, all host configurations provided by Shopex do not have these security issues.

　　Related reading:

　　How to configure your host securely

The most recent discovery of the Shopex Remote Code execution vulnerability is due to the incorrect opening of the global variable registration option in the PHP configuration of the user server, which means that the security configuration of the server is very important, and the fact that global variable registration is the most common cause of security flaws in PHP programs.

Since its inception, the global registration mechanism has been criticized by the PHP developers, who eventually decided to cancel the global variable registration mechanism and agree to replace it with a better access mechanism for input parameters. As a result, a mechanism called super global variables was introduced from PHP4.1 to $_get, $_post, $_cookie, $_server, and $_env variables representing inputs from different sources, and they can be referenced anywhere in the script. After the PHP4.1 successfully adopted the Super global variable, the April 2002 release of PHP4.2 closed the global variable registration mechanism by default.

However, although PHP turned off the global variable registration mechanism by default at the time of the new installation, the new version of PHP that was upgraded still retains its original setting in PHP.ini. In addition, many small host providers or individuals who have installed themselves intentionally open the global variable registration mechanism because they are using an old poorly written program that relies on the global variable registration mechanism for input processing.

Therefore, please check your host's php.ini file immediately, register_globals it is on, please modify it to off to improve the security of your host.

How to determine if a host's register_globals is open? Very simple.

Use Notepad to write a file called info.php, which reads as follows:

<?php
Phpinfo ();
?>

When uploaded to the server, the server returns configuration information, finds the Register_globals row, and the Security Configuration host option should be off.

After detection, all host configurations provided by Shopex do not have these security issues.

　　Related reports:

Shopex Latest Vulnerabilities and solutions