emlog 漏洞bug修复(5.3.1、6.0.0)
emlog 漏洞bug修复(5.3.1、6.0.0)
对插件处防止csrf攻击
修复session验证导致的后台无视验证码暴力破解
修复鸡肋的文件包含admin/plugin.php
后台权限下attachment.php任意文件删除漏洞
修复上传组建uploadify.swf导致的xss漏洞
影响版本:5.3.1、6.0.0
[lv]
代码行中有 “//新增” 的表示你需要添加该代码来进行修复
admin/attachment.php(该问题只存在5.3.1)
if ($action == 'del_tw_img') {
if(ROLE!=ROLE_ADMIN){ //新增
emMsg("非管理员不能删除图片!"); //新增
} //新增
$filepath = isset($_GET['filepath']) ? $_GET['filepath'] : '';
if ($filepath && file_exists($filepath)) {
$fpath = str_replace('thum-', '', $filepath);
if ($fpath != $filepath) {
@unlink($fpath) or false;
}
@unlink($filepath) or false;
}
exit;
}
admin/globals.php
if ($loginAuthRet === true) {
LoginAuth::setAuthCookie($username, $ispersis);
emDirect("./");
} else{
if(isset($_SESSION['code']))unset($_SESSION['code']); //新增
LoginAuth::loginPage($loginAuthRet);
}
admin/index.php(修复了后台作者权限下可查看 phpinfo 信息,该问题只存在5.3.1)
if ($action == 'phpinfo') {
LoginAuth::checkToken(); //新增
@phpinfo() OR emMsg("phpinfo函数被禁用!");
}
admin/plugin.php
if ($action == '' && $plugin) {
if(!preg_match("/\w+/i",$plugin)) emMsg('插件名称有误,请修改插件!'); //新增
include View::getView('header');
require_once "../content/plugins/{$plugin}/{$plugin}_setting.php";
plugin_setting_view();
include View::getView('footer');
}
if ($action == 'setting') {
if(!preg_match("/\w+/i",$plugin)) emMsg('插件名称有误,请修改插件!'); //新增
if (!empty($_POST)) {
require_once "../content/plugins/{$plugin}/{$plugin}_setting.php";
if (false === plugin_setting()) {
emDirect("./plugin.php?plugin={$plugin}&error=1");
} else{
emDirect("./plugin.php?plugin={$plugin}&setting=1");
}
} else{
emDirect("./plugin.php?plugin={$plugin}&error=1");
}
}
uploadify.swf(XSS漏洞)
uploadify.swf的作用是后台批量上传功能,建议删除 include/lib/js/uploadify/uploadify.swf[/lv]
