Dedecms include\dialog\select_soft_post.php Upload Any Files to the Specified Directory Via Variable not Initial flaw Bypa SS Extension Defence

Directory

1 . Vulnerability Description 2 . Vulnerability trigger Condition 3 . Vulnerability Impact Range 4 . Vulnerability Code Analysis 5 . Defense Methods 6. Defensive thinking

1. Vulnerability description

In general, the root cause of this vulnerability is "register_globals = on", where an attacker could launch such an attack vector

1. The current Web site "register_globals =on" is turned on 2. There are no explicitly declared, initialized variables in your code 3. Field 4 with the same name is submitted in the user-submitted HTML form . In the above premise, the hacker can arbitrarily control the value of the variable in the code

Broadly speaking, hackers can have two ways to exploit and invade.

1 . By injecting and overriding variable $cfg_basedir, you can bypass authentication and system variable initialization files, resulting in the ability to upload arbitrary files to a specified directory 2. By injecting, overwriting variables $cfg_not_allowall, $newname and other fields, bypassing the file extension to check the defense code, upload to the target folder directly Webshell

The ultimate goal of these two attack vectors is to upload the Webshell to the server (. Php. ASP,. htaccess) and other files

Relevant Link:

http://huaidan.org/archives/3386.htmlhttp://sebug.net/vuldb/ssvid-12518 http://4byte.cn/learning/51122.htmlhttps://code.google.com/p/ Webfiles/source/browse/files/localhost/htdocs/cxtx/include/dialog/select_soft_post.php?spec=svn40&r=17 

2. Vulnerability Trigger Condition

1. register_globals = on: Security settings for the site itself 2. An attacker could assign a value to a related variable through a custom form: Forge an HTTP packet

3. Vulnerability Impact Range

1 5.5 2. Dedecms v5. 5

4. Vulnerability Code Analysis

/include/dialog/select_soft_post.php

Relevant Link:

http://www.verydemo.com/demo_c116_i56826.html

5. Defense Methods

0x1: Upgrading to the latest version of Dedecms

0x2:patch Code

We know that the source of this vulnerability is due to the PHP variable coverage caused by the malicious file upload, not directly targeted defense, to code-level defense, can be blocked from the end of the invasion of Getshell the point of view to start

1 placement of file name detection at the relative end of the code flow 2. Take the ". php,. asp" feature in the regular match file name to prevent Webshell upload

/include/dialog/select_soft_post.php

Defence code

....if(Preg_match ('#\. (php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml) $ #i', Trim ($filename))) {ShowMsg ("the file name you specified is forbidden by the system! ",'javascript:;'); Exit ();} $fullfilename= $cfg _basedir. $activepath.'/'. $filename; $fullfileurl= $activepath.'/'. $filename; ..

6. Defensive Thinking

0x1: Official Repair Program

File upload is a common function of the Web system, the best defense practice is to make the Defense Code Common code module, placed in the Web System key node location, using object-oriented OO concept of all file upload defense

Dedecms himself has done this work.

1. include/common.inc.php//checking and registering variables for external commitsFunction Checkrequest (&$val) {    if(Is_array ($val)) {foreach($val as$_k=>$_v)            {checkrequest ($_k);        Checkrequest ($val [$_k]); }    }     Else    {        if(strlen ($val) >0&& Preg_match ('#^ (cfg_| GLOBALS) #', $val)) {Exit ('Request var not allow!'); }    }}2. /include/uploadsafe.inc.php//to prevent users from altering the database through the possibility of injection//certain file types that are mandatory here are forbidden to upload$cfg _not_allowall ="php|pl|cgi|asp|aspx|jsp|php3|shtm|shtml";...if(!empty (${$_key.'_name'}) && (Eregi ("\. (". $cfg _not_allowall.")$", ${$_key.'_name'}) || !ereg ("\.", ${$_key.'_name'})) ){    if(!defined ('Dedeadmin') ) {exit ('Upload filetype not allow!'); }}

0x2: fix for select_soft_post.php files

....if(Preg_match ('#\. (php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml) $ #i', Trim ($filename))) {ShowMsg ("the file name you specified is forbidden by the system! ",'javascript:;'); Exit ();} $fullfilename= $cfg _basedir. $activepath.'/'. $filename; $fullfileurl= $activepath.'/'. $filename; ..

Copyright (c) Littlehann All rights reserved

Dedecms include\dialog\select_soft_post.php Upload Any Files to the Specified Directory Via Variable not Initial flaw Bypa SS Extension Defence