ECshop鸿宇小京东 - 阿里云盾提示ECshop高危漏洞修复(2017-08-11)

官方出品：鸿宇科技
官方论坛：bbs.hongyuvip.com
官方QQ群：90664526
解决方案：直接下载本文章附件或者前往QQ群内文件进行下载(阿里云盾提示ECshop高危漏洞修复文件-2017-08-11.zip)

1.ecshop后台SQL注入漏洞 /admin/comment_manage.php 336-337行

    $filter['sort_by']      = empty($_REQUEST['sort_by']) ? 'add_time' : trim($_REQUEST['sort_by']);

    $filter['sort_order']   = empty($_REQUEST['sort_order']) ? 'DESC' : trim($_REQUEST['sort_order']);

修改为

    $filter['sort_by']      = empty($_REQUEST['sort_by']) ? 'add_time' : trim(htmlspecialchars($_REQUEST['sort_by']));

    $filter['sort_order']   = empty($_REQUEST['sort_order']) ? 'DESC' : trim(htmlspecialchars($_REQUEST['sort_order']));

2.ecshop代码注入漏洞 /admin/edit_languages.php 120行

$dst_items[$i] = $_POST['item_id'][$i] .' = '. '"' .$_POST['item_content'][$i]. '";';

修改为

$dst_items[$i] = $_POST['item_id'][$i] .' = '. '\'' .$_POST['item_content'][$i]. '\';';

 3.ecshop后台getshell /admin/integrate.php 109行

$code = empty($_GET['code']) ? '' : trim($_GET['code']);

修改为

$code = empty($_GET['code']) ? '' : trim(addslashes($_GET['code']));

4.ecshop SQL注入漏洞 /admin/affiliate_ck.php
 a./admin/affiliate_ck.php 282行
 b./mobile/admin/affiliate_ck.php 307行

$sqladd = ' AND a.user_id=' . $_GET['auid'];

改为

$sqladd = ' AND a.user_id=' . intval($_GET['auid']);

5.ecshop注入漏洞 /includes/modules/payment/alipay.php
 a./includes/modules/payment/alipay.php 183行
 b./mobile/includes/modules/payment/alipay.php 216行
 c./app/includes/modules/payment/alipay.php 173行

$order_sn = trim($order_sn);

改为

$order_sn = trim(addslashes($order_sn));

6.ecshop SQL注入漏洞 /admin/shopinfo.php
 a./admin/shopinfo.php
 b./mobile/admin/shopinfo.php
 c.53、71、105、123行，4个地方修复方式都一样

admin_priv('shopinfo_manage');

改为

admin_priv('shopinfo_manage');

$_REQUEST['id'] = intval($_REQUEST['id']);

7.ecshop注入漏洞 /api/client/includes/lib_api.php
 a./api/client/includes/lib_api.php 245行
 b./mobile/api/client/includes/lib_api.php 246行

function API_UserLogin($post)

    {

        if (get_magic_quotes_gpc()) {

            $post['UserId'] = $post['UserId'];

        }else{

            $post['UserId'] = addslashes($post['UserId']);

        }

        $post['username'] = isset($post['UserId']) ? trim($post['UserId']) : '';

        $post['password'] = isset($post['Password']) ? strtolower(trim($post['Password'])) : '';



        /[i] 检查密码是否正确 [/i]/

        $sql = "SELECT user_id, user_name, password, action_list, last_login".

        " FROM " . $GLOBALS['ecs']->table('admin_user') .

        " WHERE user_name = '" . htmlspecialchars($post['username']). "'";



        $row = $GLOBALS['db']->getRow($sql);

if (get_magic_quotes_gpc()) {

    $post['UserId'] = $post['UserId'];

}else{

    $post['UserId'] = addslashes($post['UserId']);

}

" WHERE user_name = '" . htmlspecialchars($post['username']). "'";

8.ecshop SQL注入漏洞 /admin/shophelp.php
 a./admin/shophelp.php 
 b./mobile/admin/shophelp.php 
 c.81、105、133、155行，4个地方修复方式都一样

admin_priv('shopinfo_manage');

改为

admin_priv('shopinfo_manage');

$_REQUEST['id'] = intval($_REQUEST['id']);

9.ecshop注入漏洞 /category.php 65行

$brand = isset($_REQUEST['brand']) && $_REQUEST['brand'] > 0 ? $_REQUEST['brand'] : 0;

改为

$brand = isset($_REQUEST['brand']) && intval($_REQUEST['brand']) > 0 ? intval($_REQUEST['brand']) : 0;

10.ecshop SQL注入漏洞导致代码执行

$arr['id'] = intval($arr['id']);

$arr['num'] = intval($arr['num']);

$arr['type'] = addslashes($arr['type']);

• 阿里云盾提示ECshop高危漏洞修复文件-2017-08-11.zip