Eschop Vulnerability Modification Record

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

1.
Vulnerability Name: Ecshop Injection Vulnerability Patch number: 2862905 patch file:/api/client/includes/lib_api.php patch Source: Yun Dun Update Time: Vulnerability Description: Ecshop There is a blind hole, the problem exists in the/api/ client/api.php file, submitting a specially crafted malicious POST request for a SQL injection attack can obtain sensitive information or manipulate the database. "Note: This patch is a Yun Dun self-Research code repair scheme, Cloud Shield will be based on your current code to meet the Yun Dun self-research repair mode to detect, if you take the floor/framework of unified repair, or use of other repair scenarios, may cause you have fixed the bug, Cloud Shield still reported a vulnerability, You may choose to ignore this vulnerability prompt when you encounter this situation.
Modification: api/client/includes/lib_api.php

function Api_userlogin ($post)
    {
if (GET_MAGIC_QUOTES_GPC ()) {
$post [' UserId ']= $post [' UserId '];
  }else{
$post [' UserId ']=addslashes ($post [' UserId ']);


      $post [' username '] = isset ($post [' UserId '])? Trim ($post [' UserId ']): ';
        $post [' password '] = isset ($post [' Password '])? Strtolower (Trim ($post [' Password ']): ';

        * * Check the password is correct/
        $sql = "Select user_id, user_name, password, action_list, Last_login".
        From ". $GLOBALS [' ECS ']->table (' Admin_user ').
        " WHERE user_name = ' ". Htmlspecialchars ($post [' username ']). "'";//user name for simple filtering

        $row = $GLOBALS [' db ']->getrow ($sql);

2. Cross-station attack
Www.aaa.com/mobile/buy.php?id=849<body+onload=prompt () >
Introduce Aliyun Common Vulnerability patch file in includes/init.php, waf.php.

Modification: includes/lib_order.php

   1251         else//shopping cart Without this item, insert
   1252         {
   1253             $goods _price = Get_final_price ($goods _id, $num, True, $spec );
   1254             $parent [' goods_price ']  = max ($goods _price, 0);
   1255             $parent [' goods_number '] = $num;
   1256             $parent [' parent_id ']    = 0;
   1257     $sql = "SELECT * from". $GLOBALS [' ECS ']->table (' cart '). " WHERE goods_id = ' $goods _id ';
   1258     $hasgoods = $GLOBALS [' db ']->query ($sql);
   1259 if (empty ($hasgoods)) {
   1260             $GLOBALS [' DB ']->autoexecute ($GLOBALS [' ECS ']->table (' cart '), $ Parent, ' INSERT ');
   1261}else{
   1262       echo "The product already exists. "; exit;
   1263}
   1264         }
   1265     }

If you do not modify the lib_order.php file, the Cross-site attack is blocked, but the database error statement is exposed.

3.
Vulnerability Name: Ecshop Injection Vulnerability Patch number: 2785226 patch file:/flow.php patch Source: Yun Dun Update Time: Vulnerability Description: Ecshop Distribution Address Page page does not verify the validity of regional parameters, there are SQL injection vulnerabilities, attackers can use Firefox tamp ER data and other plug-ins modify the post data submitted to the distribution Address page, causing unauthorized database operations and even executing arbitrary code.
Modification: flow.php

    376 * Save Consignee Information 377 * * 378 $consignee = array (379 ' address_id ' =&G T Empty ($_post[' address_id ')? 0:intval ($_post[' address_id '), 380 ' consignee ' => empty ($_post[' consignee '])? ': Trim (htmlspecialchars ($_post[' consignee ')), 381 ' Country ' => empty ($_post[' country '])? ': Intval ($_post[' country ']), 382 ' Province ' => empty ($_post[' province '])? ': Intval ($_post[' province ']), 383 ' City ' => empty ($_post[' city '])? ': Intval ($_post[' city ']), 384 ' district ' => empty ($_post[' district '))? ': Intval ($_post[' District ']), 385 ' email ' => empty ($_post[' email ')]? ': Htmlspecialchars ($_post[' email '), 386 ' address ' => empty ($_post[' address ')? ': Htmlspecialchars ($_post[' address '), 387 ' zipcode ' => empty($_post[' zipcode '])? ': Make_semiangle (Trim (htmlspecialchars ($_post[' zipcode ')), 388 ' Tel ' => empty ($_post[' Te L '])? ': Make_semiangle (Htmlspecialchars ($_post[' Tel ')), 389 ' Mobile ' => empty ($_post[' mobile '])     ? ': Make_semiangle (Trim (htmlspecialchars ($_post[' mobile ')), 390 ' sign_building ' => empty ($_post[' sig N_building '])? ': Htmlspecialchars ($_post[' sign_building ']), 391 ' Best_time ' => empty ($_post[' best_time '])?

': Htmlspecialchars ($_post[' best_time '), 392); Using htmlspecialchars does not eliminate vulnerabilities,         $consignee = Array (             ' address_id '     => empty ($_post[' address_id '])? 0 : Intval ($_post[' address_id '),             ' Consignee '      => empty ($_post[' Consignee ']  ? ': Compile_str (Trim ($_post[' consignee ')),             ' Country '        => empty ($_post[' country '])    ? ': Intval ($_post[' country ']),             ' province '       => Empty ($_post[' province '])   ? ': Intval ($_post[' province ']),             ' City '            => Empty ($_post[' city ')        ? ': Intval ($_post[' city ']),             ' district '        => Empty ($_post[' district '])   ? ': Intval ($_post[' district '),             ' email '           => Empty ($_post[' email ')      ? ': compile_str ($_post[' email '),             ' address '        => Empty ($_post[' address ')    ? ': Compile_str ($_post[' address '),             ' ZipCode '        => Empty ($_post[' zipcode '])    ? ': Compile_str (Make_semiangle ($_post[' zipcode ')),              ' Tel '            => Empty ($_post[' tel '])         ? ': Compile_str (Make_semiangle ($_post[' Tel ')),              ' mobile '         => empty ($_post[' mobile '])      ? ': Compile_str (Make_semiangle ($_post[' mobile ')),             ' sign_building ' => empty ($_post[' sign_building ') ? ': Compile_str ($_post[' sign_building '),             ' Best_time '      => empty ($_post[' best_time '])  ?

': Compile_str ($_post[' best_time '),        );

4.
Vulnerability name: Ecshop SQL Injection Vulnerability patch number: 6850408 patch file:/admin/affiliate_ck.php patch Source: Yun Dun Update Time: Vulnerability Description: Ecshop background Edit file/admin/affiliate_ck. In PHP, the input parameter auid is not escaped with the correct type, resulting in the injection of the integral type.
Modification: affiliate_ck.php

          !empty ($_get[' Auid '))     {         $smarty->assign (' Action_link '),  array (' text ' = > $_lang[' back_note '], ' href ' => "users.php?act=edit&id=intval ($_get[auid])")//Note: The Auid needs to surround 42 with single quotes     }


    224     if ($_get[' Auid ')) isset         $sqladd = ' and a.user_id= '. Intval ($_get[' auid '));
    the     }

5.
Vulnerability name: Ecshop SQL Injection Vulnerability patch number: 6699875 patch file:/admin/shophelp.php patch Source: Yun Dun Update Time: Vulnerability Description: Ecshop background Edit file/admin/shophelp.php, the input Parameter $_post[' ID ' was not escaped with the correct type, causing an integer injection to occur.
Modification: shophelp.php

    107/* Get the article data * * * 108 $sql = "Select article_id, title, content from". $ecs->table (' article '). "
    WHERE article_id = ". Intval ($_request[' id '));

    109 $article = $db->getrow ($sql); 125/* Check the duplicate name */126 if ($_post[' title ']!= $_post[' old_title ']) 127 {128 $is _only = $exc-&
    Gt;is_only (' title ', Htmlspecialchars ($_post[' title ')), intval ($_post[' id ')); 129 130 if (! $is _only) 131 {132 sys_msg (sprintf ' $_lang['], title_exist
    Hes ($_post[' title ')), 1);
    133} 134} 135 136/* Update Data * * 137 $cur _time = Gmtime (); 138 if ($exc->edit ("title= ' $_post[title] ', content= ' $_post[fckeditor1] ', add_time = ' $cur _time '", Intval ($_post['


ID '])) 139 {140/* Clear Cache * * Clear_cache_files ();     135    /* Access to article data * *     136     $sql = " SELECT article_iD,title, cat_id, Article_type, Is_open, author, author_email, keywords, content from ". $ecs->table (' article ')."

WHERE article_id=intval ($_request[' id ') ";

6.
Vulnerability name: ecshop background SQL injection patch number: 6461678 patch file:/admin/comment_manage.php patch Source: Yun Dun Update Time: Vulnerability Description: Ecshop/admin/comment_ manage.php, the input parameters sort_by, sort_order not strictly filtered, resulting in SQL injection
Modification: comment_manage.php

    336     $filter [' sort_by ']      = Empty ($_request[' sort_by '])? ' Add_time ': Trim (htmlspecialchars ($_request[' sort_by '));
    337     $filter [' sort_order ']   = Empty ($_request[' sort_order '])? ' DESC ': Trim (htmlspecialchars ($_request[' sort_order '));
    338

7.
Vulnerability Name: Ecshop Injection Vulnerability Patch number: 2785221 patch file:/api/client/includes/lib_api.php patch Source: Yun Dun Update Time: Vulnerability Description: Ecshop There is a blind hole, the problem exists in the/api/ client/api.php file, submitting a specially crafted malicious POST request for a SQL injection attack can obtain sensitive information or manipulate the database.
Modification: api/client/includes/lib_api.php

    241      * User Login function
    242      * Verify login, set cookie
    243      *
    244      * @param array $post
    245      /
    246     function Api_userlogin ($post)
    247     {
    248         $post [' username '] = isset ($post [' UserId '])? trim (Htmlspecialchars ($post [' UserId ']): ';

8.
Vulnerability Name: Ecshop Injection Vulnerability Patch number: 1948165 patch file:/includes/modules/payment/alipay.php patch Source: Yun Dun Update Time: Vulnerability Description: ecshop payment plug-ins exist SQL injection vulnerabilities, This vulnerability exists in the/includes/modules/payment/alipay.php file, which is a ecshop Alipay plug-in. Because Ecshop uses the Str_replace function to do string substitution, hackers can bypass single quotes to restrict the construction of SQL injection statements. As long as the Alipay payment plug-in can be used to get the Web site data, and do not need to register login.
Modification: alipay.php

    219         $order _sn = str_replace ($_get[' subject '], ', $_get[' out_trade_no '));         $order _sn = Trim ($order _sn);
    221         $len = strlen ($_get[' subject '));
    222         $t _subject = substr ($_get[' out_trade_no '), 0, $len);
    223         //$order _SN = substr ($_get[' out_trade_no '), $len);
    224         if ($t _subject!= $_get[' subject ')) (the                 $order _sn =
    $_get[' out_trade_no ');
    228         /**
    229 * End          230 * * 231         //$order _SN = Trim ($order _sn);

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More