dedecms会员中心mtypes.php注入漏洞修复方法
路径:/member/mtypes.php编辑mtypes.php,找到如下代码:
elseif ($dopost == 'save') { if(isset($mtypeidarr) && is_array($mtypeidarr)) { $delids = '0'; $mtypeidarr = array_filter($mtypeidarr, 'is_numeric'); foreach($mtypeidarr as $delid) { $delid = HtmlReplace($delid); $delids .= ','.$delid; unset($mtypename[$delid]); } $query = "DELETE FROM `#@__mtypes` WHERE mtypeid IN ($delids) AND mid='$cfg_ml->M_ID';"; $dsql->ExecNoneQuery($query); } foreach ($mtypename as $id => $name) { $name = HtmlReplace($name); $query = "UPDATE `#@__mtypes` SET mtypename='$name' WHERE mtypeid='$id' AND mid='$cfg_ml->M_ID'"; $dsql->ExecuteNoneQuery($query); } ShowMsg('分类修改完成','mtypes.php'); }
用以下代码替换:
elseif ($dopost == 'save') { if(isset($mtypeidarr) && is_array($mtypeidarr)) { $delids = '0'; $mtypeidarr = array_filter($mtypeidarr, 'is_numeric'); foreach($mtypeidarr as $delid) { $delids .= ','.$delid; unset($mtypename[$delid]); } $query = "delete from `#@__mtypes` where mtypeid in ($delids) and mid='$cfg_ml->M_ID';"; $dsql->ExecNoneQuery($query); } //通过$mtypename进行key注入 foreach ($mtypename as $id => $name) { $name = HtmlReplace($name); /* 对$id进行规范化处理 */ $id = intval($id); /* */ $query = "update `#@__mtypes` set mtypename='$name' where mtypeid='$id' and mid='$cfg_ml->M_ID'"; $dsql->ExecuteNoneQuery($query); } ShowMsg('分类修改完成','mtypes.php'); }