1、修復gbk版本 sql注入漏洞 危險級 高
2、修復flow.php sql注入漏洞 危險級 高
3、修復支付方式報路徑 危險級 中
4、修復模板可執行php檔 危險級中
5、修復ie9 不能使用fck編輯器問題
6、修復flow.php sql 注入漏洞 危險級 高
7、修復fck編輯器 XSS 攻擊 危險級中
8、修復flow.php XSS 攻擊 危險級高
9、支付寶支付方式sql注入 危險級高
詳細修改位置說明
admin/ecshopfiles.md5
admin/patch_num
includes/ fckeditor/ *
includes/modules/ payment/alipay.php
mobile /*
直接覆蓋
以下咧出的檔案,是比較有可能因二次開發已經修改過,因此不能直接覆蓋,否則可能導致無法逾期的結果,請依照下列位置進行修改,並於修改前做好備份
flow.php
374-386
'address_id' => empty($_POST['address_id']) ? 0 : intval($_POST['address_id']),
'consignee' => empty($_POST['consignee']) ? '' : compile_str(trim($_POST['consignee'])),
'country' => empty($_POST['country']) ? '' : intval($_POST['country']),
'province' => empty($_POST['province']) ? '' : intval($_POST['province']),
'city' => empty($_POST['city']) ? '' : intval($_POST['city']),
'district' => empty($_POST['district']) ? '' : intval($_POST['district']),
'email' => empty($_POST['email']) ? '' : compile_str($_POST['email']),
'address' => empty($_POST['address']) ? '' : compile_str($_POST['address']),
'zipcode' => empty($_POST['zipcode']) ? '' : compile_str(make_semiangle(trim($_POST['zipcode']))),
'tel' => empty($_POST['tel']) ? '' : compile_str(make_semiangle(trim($_POST['tel']))),
'mobile' => empty($_POST['mobile']) ? '' : compile_str(make_semiangle(trim($_POST['mobile']))),
'sign_building' => empty($_POST['sign_building']) ? '' :compile_str($_POST['sign_building']),
'best_time' => empty($_POST['best_time']) ? '' : compile_str($_POST['best_time']),
1366-1370
$_POST['card_message'] = isset($_POST['card_message']) ? compile_str($_POST['card_message']) : '';//20130308
$_POST['inv_type'] = !empty($_POST['inv_type']) ? compile_str($_POST['inv_type']) : '';
$_POST['inv_payee'] = isset($_POST['inv_payee']) ? compile_str($_POST['inv_payee']) : '';
$_POST['inv_content'] = isset($_POST['inv_content']) ? compile_str($_POST['inv_content']) : '';
$_POST['postscript'] = isset($_POST['postscript']) ? compile_str($_POST['postscript']) : '';//20130308
2185
if ($val <= 0 || !is_numeric($key))//20130308
2319
if ($val <= 0 || !is_numeric($key))//20130308
respond.php
73
$msg = (@$payment->respond()) ? $_LANG['pay_success'] : $_LANG['pay_fail'];//20130308
user.php
162-163
$sel_question = empty($_POST['sel_question']) ? '' : compile_str($_POST['sel_question']);//20130308
$passwd_answer = isset($_POST['passwd_answer']) ? compile_str(trim($_POST['passwd_answer'])) : '';//20130308
218
$extend_field_str .= " ('" . $_SESSION['user_id'] . "', '" . $val['id'] . "', '" . compile_str($temp_field_content) . "'),";//20130308
499-500
$sel_question = empty($_POST['sel_question']) ? '' : compile_str($_POST['sel_question']);//20130308
$passwd_answer = isset($_POST['passwd_answer']) ? compile_str(trim($_POST['passwd_answer'])) : '';//20130308
978-985
'address' => isset($_POST['address']) ? compile_str(trim($_POST['address'])) : '',//20130308
'consignee' => isset($_POST['consignee']) ? trim($_POST['consignee']) : '',
'email' => isset($_POST['email']) ? trim($_POST['email']) : '',
'tel' => isset($_POST['tel']) ? make_semiangle(trim($_POST['tel'])) : '',
'mobile' => isset($_POST['mobile']) ? make_semiangle(trim($_POST['mobile'])) : '',
'best_time' => isset($_POST['best_time']) ? trim($_POST['best_time']) : '',
'sign_building' => isset($_POST['sign_building']) ? trim($_POST['sign_building']) : '',
'zipcode' => isset($_POST['zipcode']) ? compile_str(make_semiangle(trim($_POST['zipcode']))) : '',//20130308
2022-2029
'consignee' => isset($_POST['consignee']) ? compile_str(trim($_POST['consignee'])) : '',//20130308
'email' => isset($_POST['email']) ? compile_str(trim($_POST['email'])) : '',
'address' => isset($_POST['address']) ? compile_str(trim($_POST['address'])) : '',
'zipcode' => isset($_POST['zipcode']) ? compile_str(make_semiangle(trim($_POST['zipcode']))) : '',
'tel' => isset($_POST['tel']) ? compile_str(trim($_POST['tel'])) : '',
'mobile' => isset($_POST['mobile']) ? compile_str(trim($_POST['mobile'])) : '',
'sign_building' => isset($_POST['sign_building']) ? compile_str(trim($_POST['sign_building'])) : '',
'best_time' => isset($_POST['best_time']) ? compile_str(trim($_POST['best_time'])) : '',//20130308
includes/cls_template.php 約287
這段限制了模板檔執行php程式,如果您修改過模板,同時模板裡有可執行php程式,那麼您不要覆蓋includes/cls_template.php,覆蓋後可能會影響到您前端的模板效果或者出現錯誤。
$source = preg_replace("/||]+language[^>]*=[^>]*php[^>]*>[^><]*/iU", "", $source); return preg_replace("/{([^\}\{\n]*)}/e", "\$this->select('\\1');", $source);
改為
if(preg_match_all('~(|language\s*=\s*[\"\']?php[\"\']?)~is', $source, $sp_match)) { $sp_match[1] = array_unique($sp_match[1]); for ($curr_sp = 0, $for_max2 = count($sp_match[1]); $curr_sp < $for_max2; $curr_sp++) { $source = str_replace($sp_match[1][$curr_sp],'%%%SMARTYSP'.$curr_sp.'%%%',$source); } for ($curr_sp = 0, $for_max2 = count($sp_match[1]); $curr_sp < $for_max2; $curr_sp++) { $source= str_replace('%%%SMARTYSP'.$curr_sp.'%%%', ''."\n", $source); } } return preg_replace("/{([^\}\{\n]*)}/e", "\$this->select('\\1');", $source);
includes/lib_base.php 約770
/**
* 检查文件类型
上面增加
/**
* 过滤用户输入的基本数据,防止script攻击
order.php *
user.php * @access public
* @return string
*/
function compile_str($str)
{
$arr = array('<' => '<', '>' => '>');
return strtr($str, $arr);
}
約1142
return ecs_iconv('utf-8', EC_CHARSET, $str);
改為
return addslashes(stripslashes(ecs_iconv('utf-8', EC_CHARSET, $str)));
includes/lib_payment.php 約111
$sql = 'SELECT order_amount FROM ' . $GLOBALS['ecs']->table('pay_log') .
" WHERE log_id = '$log_id'";
$amount = $GLOBALS['db']->getOne($sql);
改為
if(is_numeric($log_id))
{
$sql = 'SELECT order_amount FROM ' . $GLOBALS['ecs']->table('pay_log') .
" WHERE log_id = '$log_id'";
$amount = $GLOBALS['db']->getOne($sql);
}
else
{
return false;
}
