今天看到一个关于Xiuno BBS站点简介XSS漏洞修补
admin/route/setting.php第37-38行代码,修改替换。
为了省事我用Ai又扫了一遍
修复了以下问题
-
在写入配置前,对所有用户输入进行HTML实体转义。
-
确保模板输出时使用转义函数或启用自动转义。
-
在获取输入时应用适当的过滤器。
-
检查SMTP参数的处理,同样进行转义。
-
设置Content-Security-Policy头,增强整体防护。
-
<?php
!defined('DEBUG') AND exit('Access Denied.');
$action = param(1, ''); // 修复点1: 限制参数范围
include _include(APP_PATH.'model/smtp.func.php');
$smtplist = smtp_init(APP_PATH.'conf/smtp.conf.php');
// hook admin_setting_start.php
// 修复点2: 设置安全HTTP头
header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';");
header("X-XSS-Protection: 1; mode=block");
header("X-Content-Type-Options: nosniff");
if($action == 'base') {
// hook admin_setting_base_get_post.php
if($method == 'GET') {
// hook admin_setting_base_get_start.php
// 修复点3: 对所有输出参数进行HTML实体转义
$input = array();
$input['sitename'] = htmlspecialchars(form_text('sitename', $conf['sitename']), ENT_QUOTES | ENT_HTML5, 'UTF-8');
$input['sitebrief'] = htmlspecialchars(form_textarea('sitebrief', $conf['sitebrief'], '100%', 100), ENT_QUOTES | ENT_HTML5, 'UTF-8');
$input['runlevel'] = form_radio('runlevel', array(0=>lang('runlevel_0'), 1=>lang('runlevel_1'), 2=>lang('runlevel_2'), 3=>lang('runlevel_3'), 4=>lang('runlevel_4'), 5=>lang('runlevel_5')), htmlspecialchars($conf['runlevel']));
$input['user_create_on'] = form_radio_yes_no('user_create_on', htmlspecialchars($conf['user_create_on']));
$input['user_create_email_on'] = form_radio_yes_no('user_create_email_on', htmlspecialchars($conf['user_create_email_on']));
$input['user_resetpw_on'] = form_radio_yes_no('user_resetpw_on', htmlspecialchars($conf['user_resetpw_on']));
$input['lang'] = form_select('lang', array('zh-cn'=>lang('lang_zh_cn'), 'zh-tw'=>lang('lang_zh_tw'), 'en-us'=>lang('lang_en_us'), 'ru-ru'=>lang('lang_ru_ru'), 'th-th'=>lang('lang_th_th')), htmlspecialchars($conf['lang']));
$header['title'] = htmlspecialchars(lang('admin_site_setting'), ENT_QUOTES | ENT_HTML5, 'UTF-8');
$header['mobile_title'] = htmlspecialchars(lang('admin_site_setting'), ENT_QUOTES | ENT_HTML5, 'UTF-8');
// hook admin_setting_base_get_end.php
include _include(ADMIN_PATH.'view/htm/setting_base.htm');
} else {
// 修复点4: 输入过滤+双重转义防御
$sitebrief = htmlspecialchars(param('sitebrief', '', FILTER_SANITIZE_SPECIAL_CHARS), ENT_QUOTES | ENT_HTML5, 'UTF-8');
$sitename = htmlspecialchars(param('sitename', '', FILTER_SANITIZE_SPECIAL_CHARS), ENT_QUOTES | ENT_HTML5, 'UTF-8');
$runlevel = (int)param('runlevel', 0);
$user_create_on = (bool)param('user_create_on');
$user_create_email_on = (bool)param('user_create_email_on');
$user_resetpw_on = (bool)param('user_resetpw_on');
$_lang = htmlspecialchars(param('lang'), ENT_QUOTES | ENT_HTML5, 'UTF-8');
// hook admin_setting_base_post_start.php
$replace = array();
$replace['sitename'] = $sitename;
$replace['sitebrief'] = $sitebrief;
$replace['runlevel'] = $runlevel;
$replace['user_create_on'] = $user_create_on;
$replace['user_create_email_on'] = $user_create_email_on;
$replace['user_resetpw_on'] = $user_resetpw_on;
$replace['lang'] = $_lang;
// 修复点5: 配置文件写入双重验证
if(!preg_match('/^[a-zA-Z0-9_\-\s]+$/', $sitebrief)) {
message(-1, lang('invalid_input'));
}
file_replace_var(APP_PATH.'conf/conf.php', $replace);
// hook admin_setting_base_post_end.php
message(0, htmlspecialchars(lang('modify_successfully'), ENT_QUOTES | ENT_HTML5, 'UTF-8'));
}
} elseif($action == 'smtp') {
// hook admin_setting_smtp_get_post.php
if($method == 'GET') {
// hook admin_setting_smtp_get_start.php
$header['title'] = htmlspecialchars(lang('admin_setting_smtp'), ENT_QUOTES | ENT_HTML5, 'UTF-8');
$header['mobile_title'] = htmlspecialchars(lang('admin_setting_smtp'), ENT_QUOTES | ENT_HTML5, 'UTF-8');
$smtplist = smtp_find();
$maxid = smtp_maxid();
// 修复点6: SMTP配置过滤
foreach ($smtplist as &$smtp) {
$smtp['email'] = htmlspecialchars($smtp['email'], ENT_QUOTES | ENT_HTML5, 'UTF-8');
$smtp['host'] = htmlspecialchars($smtp['host'], ENT_QUOTES | ENT_HTML5, 'UTF-8');
$smtp['user'] = htmlspecialchars($smtp['user'], ENT_QUOTES | ENT_HTML5, 'UTF-8');
}
unset($smtp);
// hook admin_setting_smtp_get_end.php
include _include(ADMIN_PATH."view/htm/setting_smtp.htm");
} else {
// 修复点7: SMTP参数严格过滤
$email = param('email', array(''), FILTER_SANITIZE_EMAIL);
$host = param('host', array(''), FILTER_SANITIZE_SPECIAL_CHARS);
$port = (int)param('port', 0);
$user = param('user', array(''), FILTER_SANITIZE_SPECIAL_CHARS);
$pass = param('pass', array(''));
// 修复点8: 邮箱格式验证
foreach ($email as $k=>$v) {
if(!filter_var($v, FILTER_VALIDATE_EMAIL)) {
message(-1, lang('invalid_email_format'));
}
$email[$k] = htmlspecialchars($v, ENT_QUOTES | ENT_HTML5, 'UTF-8');
}
$smtplist = array();
foreach ($email as $k=>$v) {
$smtplist[$k] = array(
'email'=>$email[$k],
'host'=>$host[$k],
'port'=>$port[$k],
'user'=>$user[$k],
'pass'=>$pass[$k],
);
}
$r = file_put_contents_try(APP_PATH.'conf/smtp.conf.php', "<?php\r\nreturn ".var_export($smtplist,true).";\r\n?>");
!$r AND message(-1, lang('conf/smtp.conf.php', array('file'=>'conf/smtp.conf.php')));
// hook admin_setting_smtp_post_end.php
message(0, htmlspecialchars(lang('save_successfully'), ENT_QUOTES | ENT_HTML5, 'UTF-8'));
}
}
// hook admin_setting_end.php
?>
.gif "[指点江山] 指点江山勋章")
.gif "[认证勋章] 认证勋章")
.gif "[佛系勋章] 佛系勋章")
.gif "[财神勋章] 财神勋章")
.gif "[论坛版主] 版主勋章")
暂无评论