Catalog
1 . Vulnerability Description 2 . Vulnerability trigger Condition 3 . Vulnerability Impact Range 4 . Vulnerability Code Analysis 5 . Defense Methods 6. Defensive thinking
1. Vulnerability description
This vulnerability can inject malicious code into the comment header, the webmaster in the background to manage user comments triggered malicious code, directly endanger the site server security
Relevant Link:
http://skyhome.cn/dedecms/367.htmlhttp://www.soushaa.com/dedecms/dede_11533.html
2. Vulnerability Trigger Condition
3. Vulnerability Impact Range
4. Vulnerability Code Analysis
/plus/feedback_ajax.php
//Save Comments if(!empty ($fid)) {$row= $dsql->getone ("Select username,msg from ' #@__feedback ' where id = ' $fid '"); $qmsg='{Quote}{title}'. $row ['username'].'Original posts: {/title}{content}'. $row ['msg'].'{/content}{/quote}'; $msg=addslashes ($qmsg). $msg; } $ischeck= ($cfg _feedbackcheck=='Y'?0:1); //no effective XSS filtering for $title$arctitle =addslashes ($title); $inquery="INSERT into ' #@__feedback ' (' aid ', ' typeid ', ' username ', ' arctitle ', ' IPs ', ' Ischeck ', ' dtime ', ' mid ', ' bad ', ' good ', ' Ftype ', ' face ', ' msg ')VALUES ('$aid','$typeid','$username','$arctitle','$ip','$ischeck','$dtime','{$cfg _ml->m_id}','0','0','$feedbacktype','$face','$msg');";
/templets/feedback_main.htm
// No valid input XSS filtering <u>{dede:field.arctitle/}</u>
/templets/feedback_edit
// no valid input XSS filter <?php echo $row ['arctitle'];?>
5. Defense Methods
/plus/feedback_ajax.php
//Save Commentsif(!empty ($fid)) {$row= $dsql->getone ("Select username,msg from ' #@__feedback ' where id = ' $fid '"); $qmsg='{Quote}{title}'. $row ['username'].'Original posts: {/title}{content}'. $row ['msg'].'{/content}{/quote}'; $msg=addslashes ($qmsg). $msg;} $ischeck= ($cfg _feedbackcheck=='Y'?0:1);//no effective XSS filtering for $title//$arctitle = addslashes ($title);/*Add XSS defense Logic*/$arctitle=addslashes (Htmlreplace ($title)); $typeid=intval ($typeid); $feedbacktype= Preg_replace ("#[^0-9a-z] #i","", $feedbacktype);/* */
/templets/feedback_main.htm
<u>{dede:field.arctitle function=htmlreplace (@me)/}</u>
/templets/feedback_edit
<?php Echo htmlreplace ($row ['arctitle']);?>
Relevant Link:
http://www.111cn.net/wy/Dedecms/55965.htm
6. Defensive Thinking
Copyright (c) Littlehann All rights reserved
dedecms/plus/feedback_ajax.php,/templets/feedback_main.htm,/templets/feedback_edit.htm XSS && SQL Injection Vul