phpcmsv9 会员登录中心SQL注入漏洞修复

2019-03-03 栏目:网络安全 查看()

需要修:

第一个文件(五处):

1:phpcms\modules\member\index.php  608行

$password = isset($_POST['password']) && trim($_POST['password']) ? trim($_POST['password']) : showmessage(L('password_empty'), HTTP_REFERER);

下面增加:

is_password($_POST['password']) && is_badword($_POST['password'])==false ? trim($_POST['password']) : showmessage(L('password_format_incorrect'), HTTP_REFERER);

2:phpcms\modules\member\index.php  471行

$newpassword = password($_POST['info']['newpassword'], $this->memberinfo['encrypt']);

上面增加

if(!is_password($_POST['info']['newpassword'])) {

showmessage(L('password_format_incorrect'), HTTP_REFERER);

}

3:搜索 public function public_checkname_ajax() {

下面的 

$username = isset($_GET['username']) && trim($_GET['username']) ? trim($_GET['username']) : exit(0);

修改成:

$username = isset($_GET['username']) && trim($_GET['username']) && is_username(trim($_GET['username'])) ? trim($_GET['username']) : exit(0);

4:搜索 public function public_checknickname_ajax() {

下面的 

$nickname = isset($_GET['nickname']) && trim($_GET['nickname']) ? trim($_GET['nickname']) : exit('0');

修改成:

$nickname = isset($_GET['nickname']) && trim($_GET['nickname']) && is_username(trim($_GET['nickname'])) ? trim($_GET['nickname']) : exit('0');

5:搜索 public function public_checkemail_ajax() {

下面的 

$email = isset($_GET['email']) && trim($_GET['email']) ? trim($_GET['email']) : exit(0);

修改成:

$email = isset($_GET['email']) && trim($_GET['email']) && is_email(trim($_GET['email']))  ? trim($_GET['email']) : exit(0);


第二个文件: phpsso_server\phpcms\modules\phpsso\classes\phpsso.class.php  37行


if(empty($this->data) || !is_array($this->data)) {

exit('0');

}

下面增加:

if(!get_magic_quotes_gpc()) {

$this->data= new_addslashes($this->data);

}

if(isset($this->data['username']) && $this->data['username']!='' && is_username($this->data['username'])==false){

exit('-5');

}

if(isset($this->data['email']) && $this->data['username']!='' && is_email($this->data['email'])==false){

exit('-5');

}

if(isset($this->data['password']) && $this->data['password']!='' && (is_password($this->data['password'])==false || is_badword($this->data['password']))){

exit('-5');

}

if(isset($this->data['newpassword']) && $this->data['newpassword']!='' && (is_password($this->data['newpassword'])==false || is_badword($this->data['newpassword']))){

exit('-5');

}

第三个文件:phpsso_server\phpcms\modules\phpsso\index.php 195行

if($this->username) {

$res = $this->db->update($data, array('username'=>$this->username));

} else {

$res = $this->db->update($data, array('uid'=>$this->uid));

}

修改成

if($this->uid > 0) {

$res = $this->db->update($data, array('uid'=>$this->uid));

} else if($this->username) {

$res = $this->db->update($data, array('username'=>$this->username));

}

第四个文件:phpsso_server\phpcms\modules\phpsso\functions\global.func.php 增加下面的函数:

/**

* 检查密码长度是否符合规定

*

* @param STRING $password

* @return TRUE or FALSE

*/

function is_password($password) {

$strlen = strlen($password);

if($strlen >= 6 && $strlen <= 20) return true;

return false;

}

/**

* 检测输入中是否含有错误字符

*

* @param char $string 要检查的字符串名称

* @return TRUE or FALSE

*/

function is_badword($string) {

$badwords = array("\\",'&',' ',"'",'"','/','*',',','<','>',"\r","\t","\n","#");

foreach($badwords as $value){

if(strpos($string, $value) !== FALSE) {

return TRUE;

}

}

return FALSE;

}

/**

* 检查用户名是否符合规定

*

* @param STRING $username 要检查的用户名

* @return TRUE or FALSE

*/

function is_username($username) {

$strlen = strlen($username);

if(is_badword($username) || !preg_match("/^[a-zA-Z0-9_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]+$/", $username)){

return false;

} elseif ( 20 < $strlen || $strlen < 2 ) {

return false;

}

return true;

}

禁止给自己发短信的逻辑修复:

phpcms\modules\message\index.php  42行

if(!$r) showmessage(L('user_not_exist','','member'));

下面增加

if($tousername==$username){

showmessage(L('not_myself','','message'));

}


扫二维码与项目经理沟通

我们在微信上24小时期待你的声音

解答本文疑问/技术咨询/运营咨询/技术建议/互联网交流

()
(0)
郑重申明:青海达扬网络传媒有限责任公司以外的任何单位或个人,不得使用该案例作为工作成功展示!