March 29, 360 Web site security detection Platform Release vulnerability alert, said the domestic large number of online shopping mall is facing a high-risk vulnerability threat, may lead to web sites by hackers intrusion control, consumer account password and other data leakage. It is reported that this part of the site using the old version of the Ecshop Shop station system, has not repaired a exposure for many years, "local file contains vulnerabilities", for this 360 web site security detection platform has notified customers to upgrade the Ecshop version, and provide more convenient code repair program. 360 Website security Inspection Platform Service URL: http://webscan.360.cn It is understood that Ecshop is the industry's well-known open source shop system, suitable for enterprises and individuals to quickly build personalized online mall. As early as April 2010, the official version of Ecshop fixed "Local file contains vulnerabilities," but because a large number of Web sites lack of security awareness, delayed upgrade to V2.7.2 and the above version, it will give hackers a long-term opportunity to attack vulnerabilities, this proportion of the site as high as 40%. After 360 security engineers analysis, the old version of the Ecshop vulnerability originated from js/calendar/calendar.php file, "Because $lang variable detection is lax." Hackers can bypass some logical judgments, bringing malicious strings into include_once containing statements, resulting in ' Local file inclusion vulnerabilities ' exploited. "498" this.width=498 ' OnMouseWheel = ' javascript:return big (This) ' src= ' http://images.51cto.com/files/uploadimg/ 20120329/1835480.jpg "> Diagram: 360WebScan Analysis of Legacy ecshop" local file contains vulnerabilities "360 security engineers said that hackers could use the vulnerability to obtain sensitive information from the Web server, or even execute arbitrary code, In order to obtain application and server authority, the user data and account information of the users of the consumer power network are threatened. At the same time, due to the long exposure of vulnerabilities, the principle of vulnerability and attack methods have been widely spread, such "old loopholes" are often more likely to attract a large number of hacker intrusion. To protect the electronic business and consumer data security, 360 recommended the use of the old version of the Ecshop system of the Electronic business site immediately upgraded to the latest version of the official, or modify the code to plug the vulnerability, the following methods: Open the js/calendar/calendar.php file, find the file location: if (! File_exists ('.. /languages/'. $lang. '/calendar.php ') {$lang = ' zh_cn ';} Modify the IF statement to: if (!file_exists (' ...) in accordance with the Ecshop official solution. /languages/'. $lang. '/calendar.php ') | | STRRCHR ($lang, '. ') Or take 360 solution to modify the code as follows: if (!file_exists. /languages/'. $lang. '/calendar.php ') | | !in_array ($lang, Array ("en_US", "ZH_CN", "ZH_TW"), True) "responsible editor: May TEL: (010) 68476606" Original: The old version of the Ecshop vulnerability affects many of the commercial mall 360 Prompts the website to upgrade the system to return the network security homepage
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
