phpcmsv9 会员登录中心SQL注入漏洞修复
需要修:
第一个文件(五处):
1:phpcmsmodulesmemberindex.php 608行
$password = isset($_POST['password']) && trim($_POST['password']) ? trim($_POST['password']) : showmessage(L('password_empty'), HTTP_REFERER);
下面增加:
is_password($_POST['password']) && is_badword($_POST['password'])==false ? trim($_POST['password']) : showmessage(L('password_format_incorrect'), HTTP_REFERER);
2:phpcmsmodulesmemberindex.php 471行
$newpassword = password($_POST['info']['newpassword'], $this->memberinfo['encrypt']);
上面增加
if(!is_password($_POST['info']['newpassword'])) {
showmessage(L('password_format_incorrect'), HTTP_REFERER);
}
3:搜索 public function public_checkname_ajax() {
下面的
$username = isset($_GET['username']) && trim($_GET['username']) ? trim($_GET['username']) : exit(0);
修改成:
$username = isset($_GET['username']) && trim($_GET['username']) && is_username(trim($_GET['username'])) ? trim($_GET['username']) : exit(0);
4:搜索 public function public_checknickname_ajax() {
下面的
$nickname = isset($_GET['nickname']) && trim($_GET['nickname']) ? trim($_GET['nickname']) : exit('0');
修改成:
$nickname = isset($_GET['nickname']) && trim($_GET['nickname']) && is_username(trim($_GET['nickname'])) ? trim($_GET['nickname']) : exit('0');
5:搜索 public function public_checkemail_ajax() {
下面的
$email = isset($_GET['email']) && trim($_GET['email']) ? trim($_GET['email']) : exit(0);
修改成:
$email = isset($_GET['email']) && trim($_GET['email']) && is_email(trim($_GET['email'])) ? trim($_GET['email']) : exit(0);
第二个文件: phpsso_serverphpcmsmodulesphpssoclassesphpsso.class.php 37行
if(empty($this->data) || !is_array($this->data)) {
exit('0');
}
下面增加:
if(!get_magic_quotes_gpc()) {
$this->data= new_addslashes($this->data);
}
if(isset($this->data['username']) && $this->data['username']!='' && is_username($this->data['username'])==false){
exit('-5');
}
if(isset($this->data['email']) && $this->data['username']!='' && is_email($this->data['email'])==false){
exit('-5');
}
if(isset($this->data['password']) && $this->data['password']!='' && (is_password($this->data['password'])==false || is_badword($this->data['password']))){
exit('-5');
}
if(isset($this->data['newpassword']) && $this->data['newpassword']!='' && (is_password($this->data['newpassword'])==false || is_badword($this->data['newpassword']))){
exit('-5');
}
第三个文件:phpsso_serverphpcmsmodulesphpssoindex.php 195行
if($this->username) {
$res = $this->db->update($data, array('username'=>$this->username));
} else {
$res = $this->db->update($data, array('uid'=>$this->uid));
}
修改成
if($this->uid > 0) {
$res = $this->db->update($data, array('uid'=>$this->uid));
} else if($this->username) {
$res = $this->db->update($data, array('username'=>$this->username));
}
第四个文件:phpsso_serverphpcmsmodulesphpsso unctionsglobal.func.php 增加下面的函数:
/**
* 检查密码长度是否符合规定
*
* @param STRING $password
* @return TRUE or FALSE
*/
function is_password($password) {
$strlen = strlen($password);
if($strlen >= 6 && $strlen <= 20) return true;
return false;
}
/**
* 检测输入中是否含有错误字符
*
* @param char $string 要检查的字符串名称
* @return TRUE or FALSE
*/
function is_badword($string) {
$badwords = array("\",'&',' ',"'",'"','/','*',',','<','>'," "," "," ","#");
foreach($badwords as $value){
if(strpos($string, $value) !== FALSE) {
return TRUE;
}
}
return FALSE;
}
/**
* 检查用户名是否符合规定
*
* @param STRING $username 要检查的用户名
* @return TRUE or FALSE
*/
function is_username($username) {
$strlen = strlen($username);
if(is_badword($username) || !preg_match("/^[a-zA-Z0-9_-][a-zA-Z0-9_-]+$/", $username)){
return false;
} elseif ( 20 < $strlen || $strlen < 2 ) {
return false;
}
return true;
}
禁止给自己发短信的逻辑修复:
phpcmsmodulesmessageindex.php 42行
if(!$r) showmessage(L('user_not_exist','','member'));
下面增加
if($tousername==$username){
showmessage(L('not_myself','','message'));
}
扫一扫,关注我们
