ECSHOP 最新补丁 安全漏洞补丁[20110214] 修改点总结
EC发布了最新补丁地址:http://bbs.ecshop.com/thread-146345-1-2.html 由于二次开发的需要很多人的代码已经和官方相差很多,自己抽时间查看了一下所需修改点的总结,希望大家更方便的使用EC。
一下是官方的说明:
1、发货单批量操作时候,提示错误
2、手机购物出现错误
3、低版本mysql 提交订单出现错误
4、关闭库存管理且库存不足, 礼包不能购买
5、邮件杂志中添加插入图片插入相对路径导致发送邮件图片无法显示
6、Search.php页面过滤不严导致SQL注入漏洞以及后台开店向导会产生的漏洞
7、flow文件过滤不严
8、前台用户越权操作
9、礼包id未过滤
10、fck漏洞爆路径 危险级 中
11、商品列表组合sql时,对条件少了一层过滤。 危险级 中
12、Ecshop2.7.2持久型XSS 危险级 中
13、mobile的搜索添加过滤
14、文件api/checkorder.php 添加过滤 危险级中
15、支付方式注射漏洞
下面为我总结点 ,其中针对后台的order.php文件没有去总结,因为时间有限希望大家见谅,如果有错误希望大家多多提出。
1.user.php
1)增加一个htmlspecialchars过滤
/* 更新用户扩展字段的数据 */
查找
$temp_field_content = strlen($_POST[$extend_field_index]) > 100 ? mb_substr($_POST[$extend_field_index], 0, 99) : $_POST[$extend_field_index];
修改为
$temp_field_content = strlen($_POST[$extend_field_index]) > 100 ? mb_substr(htmlspecialchars($_POST[$extend_field_index]), 0, 99) : htmlspecialchars($_POST[$extend_field_index]);
2)用户留言增加一个用户ID号
/* 获取用户留言的数量 */
查找
" WHERE parent_id = 0 AND order_id = '$order_id'"; $order_info = $db->getRow("SELECT * FROM " . $ecs->table('order_info') . " WHERE order_id = '$order_id'");
修改为
" WHERE parent_id = 0 AND order_id = '$order_id' AND user_id = '$user_id'"; $order_info = $db->getRow("SELECT * FROM " . $ecs->table('order_info') . " WHERE order_id = '$order_id' AND user_id = '$user_id'");
10.F:/PHPnow-1.5.3/htdocs/emeif/includes/lib_clips.php
查找
$sql .= " WHERE parent_id = 0 AND order_id = '$order_id' ORDER BY msg_time DESC";
修改为:
$sql .= " WHERE parent_id = 0 AND order_id = '$order_id' AND user_id = '$user_id' ORDER BY msg_time DESC";
----------------------------------------------------------------------------------------------------------------------------------------
2.search.php 无
3.flow.php 无
----------------------------------------------------------------------------------------------------------------------------------------
4.F:/PHPnow-1.5.3/htdocs/emeif/includes/lib_payment.php ----->增加 过滤条件
查找方法
function get_order_id_by_sn($order_sn, $voucher = 'false')
在if ($voucher == 'true')中将原代码替换
return $GLOBALS['db']->getOne("SELECT log_id FROM " . $GLOBALS['ecs']->table('pay_log') . " WHERE order_id=" . $order_sn . ' AND order_type=1'); 替换为 if(is_numeric($order_sn)) { return $GLOBALS['db']->getOne("SELECT log_id FROM " . $GLOBALS['ecs']->table('pay_log') . " WHERE order_id=" . $order_sn . ' AND order_type=1'); } else { return ""; }
----------------------------------------------------------------------------------------------------------------------------------------
5.F:/PHPnow-1.5.3/htdocs/emeif/includes/lib_common.php
1)方法过滤
查找
* 获取指定id package 的信息 .. global $ecs, $db,$_CFG;
在其下加入
$id = is_numeric($id)?intval($id):0;
----------------------------------------------------------------------------------------------------------------------------------------
6.fck漏洞 F:/PHPnow-1.5.3/htdocs/emeif/includes/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php 直接覆盖
----------------------------------------------------------------------------------------------------------------------------------------
7.F:/PHPnow-1.5.3/htdocs/emeif/api/checkorder.php
直接覆盖 增加过滤
----------------------------------------------------------------------------------------------------------------------------------------
8.直接覆盖 magazine_list.php
----------------------------------------------------------------------------------------------------------------------------------------
9.category.php
1)增加filter_attr_str变量的过滤
/* 初始化分页信息 */
查找
$filter_attr_str = isset($_REQUEST['filter_attr']) ? trim($_REQUEST['filter_attr']) : '0';
在其下加入
$filter_attr_str = urldecode($filter_attr_str);
----------------------------------------------------------------------------------------------------------------------------------------
10.F:/PHPnow-1.5.3/htdocs/emeif/wanmei/index.php
1)增加对domo文件排查
查找
if (file_exists('../upgrade')) { $warning[] = $_LANG['remove_upgrade']; }
其下加入
if (file_exists('../demo')) { $warning[] = $_LANG['remove_demo']; }
2)增加过滤
查找
elseif ($_REQUEST['act'] == 'main_api')
将括号内全部替换为
{ require_once(ROOT_PATH . '/includes/lib_base.php'); $data = read_static_cache('api_str'); if($data === false || API_TIME < date('Y-m-d H:i:s',time()-43200)) { include_once(ROOT_PATH . 'includes/cls_transport.php'); $ecs_version = VERSION; $ecs_lang = $_CFG['lang']; $ecs_release = RELEASE; $php_ver = PHP_VERSION; $mysql_ver = $db->version(); $order['stats'] = $db->getRow('SELECT COUNT(*) AS oCount, IFNULL(SUM(order_amount), 0) AS oAmount' . ' FROM ' .$ecs->table('order_info')); $ocount = $order['stats']['oCount']; $oamount = $order['stats']['oAmount']; $goods['total'] = $db->GetOne('SELECT COUNT(*) FROM ' .$ecs->table('goods'). ' WHERE is_delete = 0 AND is_alone_sale = 1 AND is_real = 1'); $gcount = $goods['total']; $ecs_charset = strtoupper(EC_CHARSET); $ecs_user = $db->getOne('SELECT COUNT(*) FROM ' . $ecs->table('users')); $ecs_template = $db->getOne('SELECT value FROM ' . $ecs->table('shop_config') . ' WHERE code = /'template/''); $style = $db->getOne('SELECT value FROM ' . $ecs->table('shop_config') . ' WHERE code = /'stylename/''); if($style == '') { $style = '0'; } $ecs_style = $style; $shop_url = urlencode($ecs->url()); $patch_file = file_get_contents(ROOT_PATH.ADMIN_PATH."/patch_num"); $apiget = "ver= $ecs_version &lang= $ecs_lang &release= $ecs_release &php_ver= $php_ver &mysql_ver= $mysql_ver &ocount= $ocount &oamount= $oamount &gcount= $gcount &charset= $ecs_charset &usecount= $ecs_user &template= $ecs_template &style= $ecs_style &url= $shop_url &patch= $patch_file "; $t = new transport; $api_comment = $t->request('http://api.ecshop.com/checkver.php', $apiget); $api_str = $api_comment["body"]; echo $api_str; $f=ROOT_PATH . 'data/config.php'; file_put_contents($f,str_replace("'API_TIME', '".API_TIME."'","'API_TIME', '".date('Y-m-d H:i:s',time())."'",file_get_contents($f))); write_static_cache('api_str', $api_str); } else { echo $data; } }
3) 配送判断
//设置配送方式
查找
$set_modules = true; include_once(ROOT_PATH . 'includes/modules/shipping/' . $shipping . '.php');
替换为
$shop_add = read_modules('../includes/modules/shipping'); foreach ($shop_add as $val) { $mod_shop[] = $val['code']; } $mod_shop = implode(',',$mod_shop); $set_modules = true; if(strpos($mod_shop,$shipping) === false) { exit; } else { include_once(ROOT_PATH . 'includes/modules/shipping/' . $shipping . '.php'); }
----------------------------------------------------------------------------------------------------------------------------------------
utf-8:ECShop_2_7_2_UTF8_patch010.rar (184.63 KB)
gbk: ECShop_2_7_2_GBK_patch010.rar (180.52 KB)