search
HomeCMS TutorialPHPCMSThe logic problem of PHPCMS vulnerability causes getshell

The logic problem of PHPCMS vulnerability causes getshell

About the repair problem of getshell caused by a certain logic problem in phpcms

简介:
1. 漏洞名称:phpcms某处逻辑问题导致getshell
2. 补丁文件:/phpcms/libs/classes/attachment.class.php
3. 补丁来源:云盾自研
4. 漏洞描述:phpcms的/phpcms/libs/classes/attachment.class.php中,对输入参数$ext未进行类型限制,导致逻辑漏洞的产生。
【注意:该补丁为云盾自研代码修复方案,云盾会根据您当前代码是否符合云盾自研的修复模式进行检测,如果您自行采取了
底层/框架统一修复、或者使用了其他的修复方案,可能会导致您虽然已经修复了改漏洞,云盾依然报告存在漏洞,遇到该情况
可选择忽略该漏洞提示】
…
阿里云漏洞提示。

Solution:

1. According to the vulnerability description, find the corresponding location of the corresponding file attachment.class.php (near line 144), and add the patch code.

The patch code is as follows:

if($ext !== 'gif|jpg|jpeg|bmp|png'){
    if(!in_array(strtoupper($ext),array('JPG','GIF','BMP','PNG','JPEG'))) exit('附加扩展名必须为gif、jpg、jpeg、
    bmp、png');
}

The added code, the screenshot is as follows:

The logic problem of PHPCMS vulnerability causes getshell

2. Then, copy the modified file, Upload to the corresponding file location on the server and overwrite it directly;

3. Finally, log in to the Alibaba Cloud backend and click Verify (screenshot below) to complete the vulnerability repair.

The logic problem of PHPCMS vulnerability causes getshell

The above is all about the repair of the "logical problem somewhere in phpcms causing getshell" vulnerability.

PHP Chinese website, a large number of free PHPCMS tutorials, welcome to learn online!

The above is the detailed content of The logic problem of PHPCMS vulnerability causes getshell. For more information, please follow other related articles on the PHP Chinese website!

Statement
This article is reproduced at:CSDN. If there is any infringement, please contact admin@php.cn delete

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

Video Face Swap

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

Hot Tools

SublimeText3 Mac version

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Dreamweaver CS6

Dreamweaver CS6

Visual web development tools

WebStorm Mac version

WebStorm Mac version

Useful JavaScript development tools

PhpStorm Mac version

PhpStorm Mac version

The latest (2018.2.1) professional PHP integrated development tool

mPDF

mPDF

mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),