DataLife Engine 9.7 (preview.php) PHP代码注射 - 网站安全

标题：DataLife Engine 9.7 (preview.php) PHP Code Injection Vulnerability  

 

软件连接：http://dleviet.com/  

   

缺陷概述

   

 

位于 /engine/preview.php script:  

 

   

 

246.    $c_list = implode (',', $_REQUEST['catlist']);  

 

247.  

 

248.    if( strpos( $tpl->copy_template, "[catlist=" ) !== false ) {  

 

249.        $tpl->copy_template = preg_replace( "#\\[catlist=(.+?)\\](.*?)\\[/catlist\\]#ies", "check_category('\\1', '\\2', '{$c_list}')", $tpl->copy_template );  

 

250.    }  

 

251.          www.2cto.com

 

252.    if( strpos( $tpl->copy_template, "[not-catlist=" ) !== false ) {  

 

253.        $tpl->copy_template = preg_replace( "#\\[not-catlist=(.+?)\\](.*?)\\[/not-catlist\\]#ies", "check_category('\\1', '\\2', '{$c_list}', false)", $tpl->copy_template );  

 

254.    }  

 

   

 

User supplied input passed through the $_REQUEST['catlist'] parameter is not properly  

 

sanitized before being used in a preg_replace() call with the e modifier at lines 249 and 253.  

 

This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of  

 

this vulnerability requires a template which contains a [catlist] (or a [not-catlist]) tag.  

 

   解决方案：

 

打补丁: http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97. html  

 

查看更多关于DataLife Engine 9.7 (preview.php) PHP代码注射 - 网站安全的详细内容...