ECSHOP 最新补丁 安全漏洞补丁[20110214] 修改点总结

EC发布了最新补丁地址：http://bbs.ecshop.com/thread-146345-1-2.html  由于二次开发的需要很多人的代码已经和官方相差很多，自己抽时间查看了一下所需修改点的总结，希望大家更方便的使用EC。

一下是官方的说明：

1、发货单批量操作时候，提示错误
2、手机购物出现错误
3、低版本mysql 提交订单出现错误
4、关闭库存管理且库存不足， 礼包不能购买
5、邮件杂志中添加插入图片插入相对路径导致发送邮件图片无法显示
6、Search.php页面过滤不严导致SQL注入漏洞以及后台开店向导会产生的漏洞
7、flow文件过滤不严
8、前台用户越权操作
9、礼包id未过滤
10、fck漏洞爆路径 危险级 中
11、商品列表组合sql时，对条件少了一层过滤。 危险级 中 
12、Ecshop2.7.2持久型XSS    危险级 中
13、mobile的搜索添加过滤  
14、文件api/checkorder.php 添加过滤 危险级中
15、支付方式注射漏洞

 

 

下面为我总结点 ，其中针对后台的order.php文件没有去总结，因为时间有限希望大家见谅，如果有错误希望大家多多提出。

1.user.php

1）增加一个htmlspecialchars过滤
 /* 更新用户扩展字段的数据 */
 查找
$temp_field_content = strlen($_POST[$extend_field_index]) > 100 ? mb_substr($_POST[$extend_field_index], 0, 99) : $_POST[$extend_field_index]; 
 修改为
$temp_field_content = strlen($_POST[$extend_field_index]) > 100 ? mb_substr(htmlspecialchars($_POST[$extend_field_index]), 0, 99) : htmlspecialchars($_POST[$extend_field_index]);

2）用户留言增加一个用户ID号
 /* 获取用户留言的数量 */
 查找
    " WHERE parent_id = 0 AND order_id = '$order_id'"; $order_info = $db->getRow("SELECT * FROM " . $ecs->table('order_info') . " WHERE order_id = '$order_id'"); 
 修改为
" WHERE parent_id = 0 AND order_id = '$order_id' AND user_id = '$user_id'"; $order_info = $db->getRow("SELECT * FROM " . $ecs->table('order_info') . " WHERE order_id = '$order_id' AND user_id = '$user_id'");

10.F:/PHPnow-1.5.3/htdocs/emeif/includes/lib_clips.php
 查找
$sql .= " WHERE parent_id = 0 AND order_id = '$order_id' ORDER BY msg_time DESC"; 

 修改为：
$sql .= " WHERE parent_id = 0 AND order_id = '$order_id' AND user_id = '$user_id' ORDER BY msg_time DESC";
----------------------------------------------------------------------------------------------------------------------------------------

2.search.php  无
3.flow.php  无

----------------------------------------------------------------------------------------------------------------------------------------

4.F:/PHPnow-1.5.3/htdocs/emeif/includes/lib_payment.php ----->增加 过滤条件
 查找方法
function get_order_id_by_sn($order_sn, $voucher = 'false') 
 
 在if ($voucher == 'true')中将原代码替换
 
return $GLOBALS['db']->getOne("SELECT log_id FROM " . $GLOBALS['ecs']->table('pay_log') . " WHERE order_id=" . $order_sn . ' AND order_type=1'); 替换为 if(is_numeric($order_sn)) { return $GLOBALS['db']->getOne("SELECT log_id FROM " . $GLOBALS['ecs']->table('pay_log') . " WHERE order_id=" . $order_sn . ' AND order_type=1'); } else { return ""; }

----------------------------------------------------------------------------------------------------------------------------------------
5.F:/PHPnow-1.5.3/htdocs/emeif/includes/lib_common.php
 1）方法过滤
 查找
* 获取指定id package 的信息 .. global $ecs, $db,$_CFG; 
  
  在其下加入
   $id = is_numeric($id)?intval($id):0; 
  ----------------------------------------------------------------------------------------------------------------------------------------
6.fck漏洞 F:/PHPnow-1.5.3/htdocs/emeif/includes/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php 直接覆盖

----------------------------------------------------------------------------------------------------------------------------------------

7.F:/PHPnow-1.5.3/htdocs/emeif/api/checkorder.php
 直接覆盖  增加过滤

 

----------------------------------------------------------------------------------------------------------------------------------------
8.直接覆盖 magazine_list.php

----------------------------------------------------------------------------------------------------------------------------------------

9.category.php
 1）增加filter_attr_str变量的过滤
 /* 初始化分页信息 */
 查找
  $filter_attr_str = isset($_REQUEST['filter_attr']) ? trim($_REQUEST['filter_attr']) : '0'; 

 在其下加入
  $filter_attr_str = urldecode($filter_attr_str);

----------------------------------------------------------------------------------------------------------------------------------------

 

10.F:/PHPnow-1.5.3/htdocs/emeif/wanmei/index.php
 1）增加对domo文件排查
 查找
if (file_exists('../upgrade')) { $warning[] = $_LANG['remove_upgrade']; } 

    其下加入
if (file_exists('../demo')) { $warning[] = $_LANG['remove_demo']; } 
    2）增加过滤
    查找
  elseif ($_REQUEST['act'] == 'main_api') 
    
 将括号内全部替换为

{ require_once(ROOT_PATH . '/includes/lib_base.php'); $data = read_static_cache('api_str'); if($data === false || API_TIME < date('Y-m-d H:i:s',time()-43200)) { include_once(ROOT_PATH . 'includes/cls_transport.php'); $ecs_version = VERSION; $ecs_lang = $_CFG['lang']; $ecs_release = RELEASE; $php_ver = PHP_VERSION; $mysql_ver = $db->version(); $order['stats'] = $db->getRow('SELECT COUNT(*) AS oCount, IFNULL(SUM(order_amount), 0) AS oAmount' . ' FROM ' .$ecs->table('order_info')); $ocount = $order['stats']['oCount']; $oamount = $order['stats']['oAmount']; $goods['total'] = $db->GetOne('SELECT COUNT(*) FROM ' .$ecs->table('goods'). ' WHERE is_delete = 0 AND is_alone_sale = 1 AND is_real = 1'); $gcount = $goods['total']; $ecs_charset = strtoupper(EC_CHARSET); $ecs_user = $db->getOne('SELECT COUNT(*) FROM ' . $ecs->table('users')); $ecs_template = $db->getOne('SELECT value FROM ' . $ecs->table('shop_config') . ' WHERE code = /'template/''); $style = $db->getOne('SELECT value FROM ' . $ecs->table('shop_config') . ' WHERE code = /'stylename/''); if($style == '') { $style = '0'; } $ecs_style = $style; $shop_url = urlencode($ecs->url()); $patch_file = file_get_contents(ROOT_PATH.ADMIN_PATH."/patch_num"); $apiget = "ver= $ecs_version &lang= $ecs_lang &release= $ecs_release &php_ver= $php_ver &mysql_ver= $mysql_ver &ocount= $ocount &oamount= $oamount &gcount= $gcount &charset= $ecs_charset &usecount= $ecs_user &template= $ecs_template &style= $ecs_style &url= $shop_url &patch= $patch_file "; $t = new transport; $api_comment = $t->request('http://api.ecshop.com/checkver.php', $apiget); $api_str = $api_comment["body"]; echo $api_str; $f=ROOT_PATH . 'data/config.php'; file_put_contents($f,str_replace("'API_TIME', '".API_TIME."'","'API_TIME', '".date('Y-m-d H:i:s',time())."'",file_get_contents($f))); write_static_cache('api_str', $api_str); } else { echo $data; } } 
 3） 配送判断
 
 //设置配送方式
    查找
$set_modules = true; include_once(ROOT_PATH . 'includes/modules/shipping/' . $shipping . '.php');    

替换为
$shop_add = read_modules('../includes/modules/shipping'); foreach ($shop_add as $val) { $mod_shop[] = $val['code']; } $mod_shop = implode(',',$mod_shop); $set_modules = true; if(strpos($mod_shop,$shipping) === false) { exit; } else { include_once(ROOT_PATH . 'includes/modules/shipping/' . $shipping . '.php'); }

----------------------------------------------------------------------------------------------------------------------------------------

 

utf-8:ECShop_2_7_2_UTF8_patch010.rar (184.63 KB)

 

gbk:  ECShop_2_7_2_GBK_patch010.rar (180.52 KB)