ECshop鸿宇小京东 - 阿里云盾提示ECshop高危漏洞修复(2017-08-11)
官方出品:鸿宇科技
官方论坛:bbs.hongyuvip.com
官方QQ群:90664526
解决方案:直接下载本文章附件或者前往QQ群内文件进行下载(阿里云盾提示ECshop高危漏洞修复文件-2017-08-11.zip)
1.ecshop后台SQL注入漏洞 /admin/comment_manage.php 336-337行
2.ecshop代码注入漏洞 /admin/edit_languages.php 120行
3.ecshop后台getshell /admin/integrate.php 109行
4.ecshop SQL注入漏洞 /admin/affiliate_ck.php
a./admin/affiliate_ck.php 282行
b./mobile/admin/affiliate_ck.php 307行
5.ecshop注入漏洞 /includes/modules/payment/alipay.php
a./includes/modules/payment/alipay.php 183行
b./mobile/includes/modules/payment/alipay.php 216行
c./app/includes/modules/payment/alipay.php 173行
6.ecshop SQL注入漏洞 /admin/shopinfo.php
a./admin/shopinfo.php
b./mobile/admin/shopinfo.php
c.53、71、105、123行,4个地方修复方式都一样
7.ecshop注入漏洞 /api/client/includes/lib_api.php
a./api/client/includes/lib_api.php 245行
b./mobile/api/client/includes/lib_api.php 246行
8.ecshop SQL注入漏洞 /admin/shophelp.php
a./admin/shophelp.php
b./mobile/admin/shophelp.php
c.81、105、133、155行,4个地方修复方式都一样
9.ecshop注入漏洞 /category.php 65行
10.ecshop SQL注入漏洞导致代码执行
官方论坛:bbs.hongyuvip.com
官方QQ群:90664526
解决方案:直接下载本文章附件或者前往QQ群内文件进行下载(阿里云盾提示ECshop高危漏洞修复文件-2017-08-11.zip)
1.ecshop后台SQL注入漏洞 /admin/comment_manage.php 336-337行
$filter['sort_by'] = empty($_REQUEST['sort_by']) ? 'add_time' : trim($_REQUEST['sort_by']);修改为
$filter['sort_order'] = empty($_REQUEST['sort_order']) ? 'DESC' : trim($_REQUEST['sort_order']);
$filter['sort_by'] = empty($_REQUEST['sort_by']) ? 'add_time' : trim(htmlspecialchars($_REQUEST['sort_by']));
$filter['sort_order'] = empty($_REQUEST['sort_order']) ? 'DESC' : trim(htmlspecialchars($_REQUEST['sort_order']));
2.ecshop代码注入漏洞 /admin/edit_languages.php 120行
$dst_items[$i] = $_POST['item_id'][$i] .' = '. '"' .$_POST['item_content'][$i]. '";';修改为
$dst_items[$i] = $_POST['item_id'][$i] .' = '. '\'' .$_POST['item_content'][$i]. '\';';
3.ecshop后台getshell /admin/integrate.php 109行
$code = empty($_GET['code']) ? '' : trim($_GET['code']);修改为
$code = empty($_GET['code']) ? '' : trim(addslashes($_GET['code']));
4.ecshop SQL注入漏洞 /admin/affiliate_ck.php
a./admin/affiliate_ck.php 282行
b./mobile/admin/affiliate_ck.php 307行
$sqladd = ' AND a.user_id=' . $_GET['auid'];
改为$sqladd = ' AND a.user_id=' . intval($_GET['auid']);
5.ecshop注入漏洞 /includes/modules/payment/alipay.php
a./includes/modules/payment/alipay.php 183行
b./mobile/includes/modules/payment/alipay.php 216行
c./app/includes/modules/payment/alipay.php 173行
$order_sn = trim($order_sn);改为
$order_sn = trim(addslashes($order_sn));
6.ecshop SQL注入漏洞 /admin/shopinfo.php
a./admin/shopinfo.php
b./mobile/admin/shopinfo.php
c.53、71、105、123行,4个地方修复方式都一样
admin_priv('shopinfo_manage');改为
admin_priv('shopinfo_manage');
$_REQUEST['id'] = intval($_REQUEST['id']);
7.ecshop注入漏洞 /api/client/includes/lib_api.php
a./api/client/includes/lib_api.php 245行
b./mobile/api/client/includes/lib_api.php 246行
function API_UserLogin($post)
{
if (get_magic_quotes_gpc()) {
$post['UserId'] = $post['UserId'];
}else{
$post['UserId'] = addslashes($post['UserId']);
}
$post['username'] = isset($post['UserId']) ? trim($post['UserId']) : '';
$post['password'] = isset($post['Password']) ? strtolower(trim($post['Password'])) : '';
/[i] 检查密码是否正确 [/i]/
$sql = "SELECT user_id, user_name, password, action_list, last_login".
" FROM " . $GLOBALS['ecs']->table('admin_user') .
" WHERE user_name = '" . htmlspecialchars($post['username']). "'";
$row = $GLOBALS['db']->getRow($sql);
if (get_magic_quotes_gpc()) {
$post['UserId'] = $post['UserId'];
}else{
$post['UserId'] = addslashes($post['UserId']);
}
" WHERE user_name = '" . htmlspecialchars($post['username']). "'";
8.ecshop SQL注入漏洞 /admin/shophelp.php
a./admin/shophelp.php
b./mobile/admin/shophelp.php
c.81、105、133、155行,4个地方修复方式都一样
admin_priv('shopinfo_manage');改为
admin_priv('shopinfo_manage');
$_REQUEST['id'] = intval($_REQUEST['id']);
9.ecshop注入漏洞 /category.php 65行
$brand = isset($_REQUEST['brand']) && $_REQUEST['brand'] > 0 ? $_REQUEST['brand'] : 0;改为
$brand = isset($_REQUEST['brand']) && intval($_REQUEST['brand']) > 0 ? intval($_REQUEST['brand']) : 0;
10.ecshop SQL注入漏洞导致代码执行
$arr['id'] = intval($arr['id']);
$arr['num'] = intval($arr['num']);
$arr['type'] = addslashes($arr['type']);