dedecms织梦阿里云安全中心提示上传漏洞解决方法
志汇网络接手的一个企业站用的dedecms,这么成熟CMS怎么有这么多漏洞,百度快照都被劫持了,阿里云的云安全中心已经提示报警,接下来一个一个解决。
漏洞描述:
dedecms过滤逻辑不严导致上传漏洞。
修改/include/uploadsafe.inc.php文件
<?php
if(!defined('DEDEINC')) exit('Request Error!');
if(isset($_FILES['GLOBALS'])) exit('Request not allow!');
//为了防止用户通过注入的可能性改动了数据库
//这里强制限定的某些文件类型禁止上传
$cfg_not_allowall = "php|pl|cgi|asp|aspx|jsp|php3|shtm|shtml";
$keyarr = array('name', 'type', 'tmp_name', 'size');
if ($GLOBALS['cfg_html_editor']=='ckeditor' && isset($_FILES['upload']))
{
$_FILES['imgfile'] = $_FILES['upload'];
$CKUpload = TRUE;
unset($_FILES['upload']);
}
foreach($_FILES as $_key=>$_value)
{
foreach($keyarr as $k)
{
if(!isset($_FILES[$_key][$k]))
{
exit('Request Error!');
}
}
if( preg_match('#^(cfg_|GLOBALS)#', $_key) )
{
exit('Request var not allow for uploadsafe!');
}
$$_key = $_FILES[$_key]['tmp_name'];
${$_key.'_name'} = $_FILES[$_key]['name'];
${$_key.'_type'} = $_FILES[$_key]['type'] = preg_replace('#[^0-9a-z\./]#i', '', $_FILES[$_key]['type']);
${$_key.'_size'} = $_FILES[$_key]['size'] = preg_replace('#[^0-9]#','',$_FILES[$_key]['size']);
if(!empty(${$_key.'_name'}) && (preg_match("#\.(".$cfg_not_allowall.")$#i",${$_key.'_name'}) || !preg_match("#\.#", ${$_key.'_name'})) )
{
if(!defined('DEDEADMIN'))
{
exit('Not Admin Upload filetype not allow !');
}
}
if(empty(${$_key.'_size'}))
{
${$_key.'_size'} = @filesize($$_key);
}
$imtypes = array("image/pjpeg", "image/jpeg", "image/gif", "image/png", "image/xpng", "image/wbmp", "image/bmp");
if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes)){
$image_dd = @getimagesize($$_key); if($image_dd == false){
continue;
}
if (!is_array($image_dd)) {
exit('Upload filetype not allow !');
}
}
$imtypes = array
(
"image/pjpeg", "image/jpeg", "image/gif", "image/png",
"image/xpng", "image/wbmp", "image/bmp"
);
if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes))
{
$image_dd = @getimagesize($$_key);
if($image_dd == false){ continue; }
if (!is_array($image_dd))
{
exit('Upload filetype not allow !');
}
}
}
?>
发表评论: