[oscommerce] [email重大漏洞修正] 请所有OSC网站立即更新

这是来自http://www.kmd.com.tw/Forum/viewtopic.php?t=12181,该文说明了必须修改的两处问题而原文有6处说明要改,所以我还是参照原文的来改好了!并且中文略述一下:

1.修改 robot.txt 档案
要确定在Linux/Unix系统中档名全是小写,这个档案应在你的网站的根目录中,根目录指的是你网站index.html或index.php…等档案出现的地方,如果你是用个人帐号登入的话,有可能在 /你的家目录/public_html/ 或 /你的家目录/httpdocs下

# 这一行是说所有搜寻引擎的蜘蛛都用这个设定
User-agent: *

# 下面这些设定是让这些蜘蛛不要索引你不想要的页面
# 这里假设你的OSC安装在你网站的根目录下
# 例如: http://你的网站/index.php
Disallow: /admin
Disallow: /includes
Disallow: /account.php
Disallow: /advanced_search.php
Disallow: /checkout_shipping.php
Disallow: /create_account.php
Disallow: /login.php
Disallow: /login.php
Disallow: /password_forgotten.php
Disallow: /popup_image.php
Disallow: /shopping_cart.php
Disallow: /contact_us.php
Disallow: /product_reviews_write.php
Disallow: /cookie_usage.php

其它的如果也有不要的,就自行增加。

2.Contact Us 表单漏洞修正
在contact_us.php中约126行附近,找到
<td><?php echo tep_draw_textarea_field('enquiry', 'soft', 50, 15); ?></td>

将这一行取代为
<td><?php echo tep_draw_textarea_field('enquiry', 'soft', 50, 15, tep_sanitize_string($_POST['enquiry']), '', false); ?></td>
3.Contact form issue/ textarea bug
原中文有不再赘述

4. Validate string
这一个我看不太出来有什么意义,就跳过啰!

5.5. Contact Us Spam bot
在catalog/includes/functions/general.php
找到

function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) {
if (SEND_EMAILS != 'true') return false;
改成

function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) {
if (SEND_EMAILS != 'true') return false;
//Dont send any injection type mails.
if (eregi('Content-Type:', $to_name)) return false;
if (eregi('Content-Type:', $email_subject)) return false;
if (eregi('Content-Type:', $from_email_name)) return false;
if (eregi('Content-Type:', $email_text)) return false;
//Remove any newline and anything after it on the header fields of the mail.
//$to_email_address and $from_email_address are checked with tep_validate_email().
$to_name = preg_replace('/[\n|\r].*/', '', $to_name);
$email_subject = preg_replace('/[\n|\r].*/', '', $email_subject);
$from_email_name = preg_replace('/[\n|\r].*/', '', $from_email_name);
在1.1版本中又新增了一个漏洞修补:
6.Contact Us Spam Relay
参考资料:http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay
在catalog/includes/functions/general.php=>原文有错是在catalog/contact_us.php,在下一个修正版本就更正了
找到:
$error = false;
if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send')) {
$name = tep_db_prepare_input($HTTP_POST_VARS['name']);
$email_address = tep_db_prepare_input($HTTP_POST_VARS['email']);
$enquiry = tep_db_prepare_input($HTTP_POST_VARS['enquiry']);

改成:
$error = false;
if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send')) {
// http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay
$_POST['email'] = preg_replace( "/\n/", " ", $_POST['email'] );
$_POST['name'] = preg_replace( "/\n/", " ", $_POST['name'] );
$_POST['email'] = preg_replace( "/\r/", " ", $_POST['email'] );
$_POST['name'] = preg_replace( "/\r/", " ", $_POST['name'] );
$_POST['email'] = str_replace("Content-Type:","",$_POST['email']);
$_POST['name'] = str_replace("Content-Type:","",$_POST['name']);
$name = tep_db_prepare_input($_POST['name']);
$email_address = tep_db_prepare_input($_POST['email']);
$enquiry = tep_db_prepare_input($_POST['enquiry']);
$enquiry = tep_db_prepare_input($enquiry . "\n\n IP: " . $_SERVER['REMOTE_ADDR']);
在v1.2版本中,有很多A,B,C...的修补方法,不过因为还没试,就先暂时保留原味的。
在v1.3版本中,又加强了漏洞的修补
1.避免email从你的网域寄出.
在contact_us.php 前面找到:
if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send')) {
替换成:
if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send') && tep_email_isfromdomain($_POST['email']))
{
$error = true;
$messageStack->add('contact', ENTRY_EMAIL_ADDRESS_ISFROMDOMAIN_ERROR);
}
elseif (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send')) {
在/includes/functions/validations.php 前面新增这个函式:
function tep_email_isfromdomain($email) {
list($username,$domain)=split('@',$email);
$domain = strtolower($domain);
if ($domain == 'ENTER YOUR DOMAIN HERE'){
return true;
}else{
return false;
}
}
在/includes/langueges/english/english.php 以及类似的语系档案中新增:
define('ENTRY_EMAIL_ADDRESS_ISFROMDOMAIN_ERROR', 'Your E-Mail Address appears to be from BuyLDSproducts.com. To contact us, please use your valid email address.');
在v1.4版本中加强了对v1.3版的漏洞修补及更正
在catalog/includes/configure.php 前面找到define('HTTP_COOKIE_DOMAIN', 'www.yourdomain.com');替换为define('HTTP_COOKIE_DOMAIN', 'www.yourdomain.com');
define('HTTP_MAIL_DOMAIN', 'yourdomain.com');

在/includes/functions/validations.php 新增这个函式,注意这个函式在v1.3中已新增,所以就把原先的给替换掉
function tep_email_isfromdomain($email) {
list($username,$domain)=split('@',$email);
$domain = strtolower($domain);
if ($domain == '' . HTTP_MAIL_DOMAIN . ''){
return true;
}else{
return false;
}
}
以上就是最新的修补!

One comment

Comments are closed.