阿里云提示DISCUZ uc.key泄漏导致代码注入漏洞修复

PHP

查找

1
2
3
4
foreach($post as $k => $v) {
	$data['findpattern'][$k] = $v['findpattern'];
	$data['replace'][$k] = $v['replacement'];
}

改成

1
2
3
4
5
6
7
8
9
foreach ($post as $k => $v) {
    //dz uc-key修改开始
    if (substr($v['findpattern'], 0, 1) != '/' || substr($v['findpattern'], -3) != '/is') {
        $v['findpattern'] = '/' . preg_quote($v['findpattern'], '/') . '/is';
    }
    //end  修改结束
    $data['findpattern'][$k] = $v['findpattern'];
    $data['replace'][$k] = $v['replacement'];
}

查找

1
$UC_API = $post['UC_API'];

改成

1
2
3
4
5
6
7
8
//$UC_API = $post['UC_API'];
//dz uc-key修改开始
$UC_API = '';
if ($post['UC_API']) {
    $UC_API = str_replace(array('\'', '"', '\\', "\0", "\n", "\r"), '', $post['UC_API']);
    unset($post['UC_API']);
}
//end修改结束

本文标题:阿里云提示DISCUZ uc.key泄漏导致代码注入漏洞修复

文章作者:liux

发布时间:2017-06-08, 10:49:33

最后更新:2020-12-30, 11:07:00

原始链接:http://www.51os.xyz/2017/06/08/discuz-uc-key-bug/

许可协议: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。

文章目录