Catalog
1 . Vulnerability Description 2 . Vulnerability trigger Condition 3 . Vulnerability Impact Range 4 . Vulnerability Code Analysis 5 . Defense Methods 6. Defensive thinking
1. Vulnerability description
Remote code execution vulnerability in preg_replace+ modifier e+ double quotation marks in the SEO module
Relevant Link:
http://www.wooyun.org/bugs/wooyun-2012-06420
2. Vulnerability Trigger Condition
12. Register any account 3. Log in User, blog post (note is log)45 . Access log, forum root directory generated demo.php, a sentence to send password C
Relevant Link:
http://weibo.com/2242334800/ygxonqlf9?type=comment#_rnd1432431149028http:// sebug.net/vuldb/ssvid-60082
3. Vulnerability Impact Range
4. Vulnerability Code Analysis
/source/class/helper/helper_seo.php
..if($searcharray &&$replacearray) {$_g['trunsform_tmp'] =Array (); /*1. The $content used for the replacement is from the image address of the user input 2. preg_place replaced content using double quotation marks wrapping 3. The search for preg_replace uses the "e" modifier to cause PHP to use EV when the replacement is complete. Al executes the replaced content one time because the syntax of eval ("${${}") can be executed dynamically, resulting in a hacker being able to inject remote code*/$content= Preg_replace ("/(<script\s+.*?>.*?<\/script>) | (<a\s+.*?>.*?<\/a>) | () | (\[attach\] (\d+) \[\/attach\])/ies",'helper_seo::base64_transform ("Encode", "<relatedlink>", "\\1\\2\\3\\4", "</relatedlink>")', $content); $content= Preg_replace ($searcharray, $replacearray, $content,1); $content= Preg_replace ("/<relatedlink> (. *?) <\/relatedlink>/ies","helper_seo::base64_transform (' decode ', ' ', ' \\1 ', ')", $content);}..
Relevant Link:
http://www.wooyun.org/upload/201204/2620001868555ef2f2153e9b615d32467724d943.jpg
5. Defense Methods
/source/class/helper/helper_seo.php
..if($searcharray &&$replacearray) {$_g['trunsform_tmp'] =Array (); /*Replace double quotation marks with single quotation marks after repair to cause dynamic syntax ${${}} to lose execution capability*/$content= Preg_replace ("/(<script\s+.*?>.*?<\/script>) | (<a\s+.*?>.*?<\/a>) | () | (\[attach\] (\d+) \[\/attach\])/ies","helper_seo::base64_transform (' encode ', ' <relatedlink> ', ' \\1\\2\\3\\4 ', ' </relatedlink> ')", $content); /* */$content= Preg_replace ($searcharray, $replacearray, $content,1); $content= Preg_replace ("/<relatedlink> (. *?) <\/relatedlink>/ies","helper_seo::base64_transform (' decode ', ' ', ' \\1 ', ')", $content);}..
6. Defensive Thinking
Copyright (c) Littlehann All rights reserved
discuz! x2.5/source/class/helper/helper_seo.php Remote Code Execution Vul