The latest dedecms SQL injection 0-day vulnerability-what should I do?

The latest dedecms SQL injection 0day vulnerability was reported on April 9, April 29: The Chinese security research team "know Chuangyu" said the latest DEDECMSSQL injection 0day was intercepted. The latest version of DEDECMS 5.7 is also affected, no patches or solutions have been provided by the official team at the time of this alert. this vulnerability is easy to exploit and the vulnerability module is enabled by default after dedecms is installed. The latest dedecms SQL injection 0-day vulnerability-again
April 29 message: the Chinese security research team "know Chuangyu" said that the latest dedecms SQL injection 0day was intercepted. The latest version 5.7 provided by the DEDECMS official website is also affected, no patches or solutions have been provided by the official team at the time of this alert. this vulnerability is easy to exploit and the vulnerability module is enabled by default after dedecms is installed.

We know that Chuangyu provides three temporary solutions:

Solution 1: four steps are required for temporary patching

1. make sure that your magic_quotes_gpc = On

How to enable php: open php in the php installation directory. ini (if you are using an integrated environment such as appserv, php. ini may be on the system drive: \ windows \ php. ini), search for magic_quotes_gpc and set it to On.

2.

/Plus/carbuyaction. php is near line 22

If ($ pai_mb_open = 'n') {ShowMsg ("the membership function is disabled, so you cannot access this page! "," Javascript:; "); exit ();}

Add a line of code below

$ Rs = array ();

3.

In the vicinity of line 33 of member/ajax_membergroup.php

If (empty ($ membergroup) {echo "you have not set the group! "; Exit ;}

Add the following code:

If (strpos ($ membergroup, "'") {echo "temporary patch for SQL injection protection. The Startup security team reminds you to pay attention to the official patch! "; Exit ;}

4.

The original member/ajax_membergroup.php line is near 36

$ Row = $ dsql-> GetOne ("SELECT groupname FROM #@__ member_group WHERE mid = {$ cmd_ml-> M_ID} AND id = {$ membergroup }");

Change

$ Row = $ dsql-> GetOne ("SELECT groupname FROM #@__ member_group WHERE mid = {$ cmd_ml-> M_ID} AND id = '{$ membergroup }'");

Solution 2: disable the membership function as a website administrator

System-> Basic System parameters-> member Settings-> whether to enable the membership function to change to (no)

Solution 3: If your website does not require the membership function, you can directly rename or delete the vulnerable files/member/ajax_membergroup.php. the most violent but most effective method.

Note: The temporary patch provided in this article is only for temporary defense, which has a slight impact on the system and has not been tested yet. the specific patch must wait for the official patch.

------ Solution --------------------
Phpnewnew has been contributing. Hard work. Thank you for choosing DEDECMS.
------ Solution --------------------
I often use DEDE and sometimes get hacked.
------ Solution --------------------
Discussion

Reference:

Phpnewnew has been contributing. Hard work. Thank you for choosing DEDECMS.


Apsara stack ~ Let me copy it. that's the security company's correction code.

------ Solution --------------------
Not considered
$ Row = $ dsql-> GetOne ("SELECT groupname FROM #@__ member_group WHERE mid = {$ cmd_ml-> M_ID} AND id = {$ membergroup }");
This may cause a threat.

A little worrying, right?
------ Solution --------------------
Discussion

Not considered
$ Row = $ dsql-> GetOne ("SELECT groupname FROM #@__ member_group WHERE mid = {$ cmd_ml-> M_ID} AND id = {$ membergroup }");
This may cause a threat.

A little worrying, right?

------ Solution --------------------
Set $ membergroup as an unprocessed direct url variable
So
$ Row = $ dsql-> GetOne ("SELECT groupname FROM #@__ member_group WHERE mid = {$ cmd_ml-> M_ID} AND id = 0 or 1 = 1"
Only the first data in the table is retrieved.
This first piece of data is usually the root of the classification, which is why it cannot constitute a threat.
------ Solution --------------------
This is not the case for {$ membergroup}. if it is the user's operable data, isn't it possible to inject an integer?

Discussion

Not considered
$ Row = $ dsql-> GetOne ("SELECT groupname FROM #@__ member_group WHERE mid = {$ cmd_ml-> M_ID} AND id = {$ membergroup }");
This may cause a threat.

A little worrying, right?

------ Solution --------------------
It is not possible to union other tables. if it is the root permission, the file code can be burst in conjunction with the mysql function, and then the root password will be logged into the insert php code and output the form to upload the pony ......

The above pure ideas,

Discussion

Set $ membergroup as an unprocessed direct url variable
So
$ Row = $ dsql-> GetOne ("SELECT groupname FROM #@__ member_group WHERE mid = {$ cmd_ml-> M_ID} AND id = 0 or 1 = 1"
Only the first data in the table is retrieved.
This first piece of data is usually the root of the classification, which is why it cannot constitute a threat.

------ Solution --------------------
Discussion

It is not possible to union other tables. if it is the root permission, the file code can be burst in conjunction with the mysql function, and then the root password will be logged into the insert php code and output the form to upload the pony ......