phpcmsv9 会员登录中心SQL注入漏洞&重置任意会员账号密码漏洞

代码笔记   2015-08-02 11:19:48

需要修:
 
第一处: phpcms\modules\member\index.php  608行
 
$password = isset($_POST['password']) && trim($_POST['password']) ? trim($_POST['password']) : showmessage(L('password_empty'), HTTP_REFERER);
下面增加:
is_password($_POST['password']) && is_badword($_POST['password'])==false ? trim($_POST['password']) : showmessage(L('password_format_incorrect'), HTTP_REFERER);
 
 
phpcms\modules\member\index.php  471行
$newpassword = password($_POST['info']['newpassword'], $this->memberinfo['encrypt']);
上面增加
if(!is_password($_POST['info']['newpassword'])) {
showmessage(L('password_format_incorrect'), HTTP_REFERER);
}
 
第二处: phpsso_server\phpcms\modules\phpsso\classes\phpsso.class.php  37行
 
if(empty($this->data) || !is_array($this->data)) {
exit('0');
}
下面增加:
if(!get_magic_quotes_gpc()) {
$this->data= new_addslashes($this->data);
}
if(isset($this->data['username']) && $this->data['username']!='' && is_username($this->data['username'])==false){
exit('-5');
}
if(isset($this->data['email']) && $this->data['username']!='' && is_email($this->data['email'])==false){
exit('-5');
}
if(isset($this->data['password']) && $this->data['password']!='' && (is_password($this->data['password'])==false || is_badword($this->data['password']))){
exit('-5');
}
if(isset($this->data['newpassword']) && $this->data['newpassword']!='' && (is_password($this->data['newpassword'])==false || is_badword($this->data['newpassword']))){
exit('-5');
}
 
第三处:phpsso_server\phpcms\modules\phpsso\index.php 195行
if($this->username) {
$res = $this->db->update($data, array('username'=>$this->username));
} else {
$res = $this->db->update($data, array('uid'=>$this->uid));
}
修改成
if($this->uid > 0) {
$res = $this->db->update($data, array('uid'=>$this->uid));
} else if($this->username) {
$res = $this->db->update($data, array('username'=>$this->username));
}
 
第四处:phpsso_server\phpcms\modules\phpsso\functions\global.func.php 增加下面的函数:
 
/**
* 检查密码长度是否符合规定
*
* @param STRING $password
* @return TRUE or FALSE
*/
function is_password($password) {
$strlen = strlen($password);
if($strlen >= 6 && $strlen <= 20) return true;
return false;
}
 
/**
* 检测输入中是否含有错误字符
*
* @param char $string 要检查的字符串名称
* @return TRUE or FALSE
*/
function is_badword($string) {
$badwords = array("\\",'&',' ',"'",'"','/','*',',','<','>',"\r","\t","\n","#");
foreach($badwords as $value){
if(strpos($string, $value) !== FALSE) {
return TRUE;
}
}
return FALSE;
}
 
/**
* 检查用户名是否符合规定
*
* @param STRING $username 要检查的用户名
* @return TRUE or FALSE
*/
function is_username($username) {
$strlen = strlen($username);
if(is_badword($username) || !preg_match("/^[a-zA-Z0-9_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]+$/", $username)){
return false;
} elseif ( 20 < $strlen || $strlen < 2 ) {
return false;
}
return true;
}