1. Arbitrary File Upload in Media Manager

---

The file dede/media_add.php is vulnerable to arbitrary file uploads. An attacker could upload a malicious script.

Patch

Locate the line assigning the full filename (around line 69) and replace it with the following code:

if (preg_match('/\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)$/i', $userFile)) {
    exit('The specified filename is prohibited by the system!');
}
$targetPath = $baseDirectory . $userFile;

2. Arbitrary File Upload in File Selector

---

The file include/dialog/select_soft_post.php has a similar vulnerability in its file upload logic.

Patch

Find the line that constructs the full filename (around line 71) and replace it with:

if (preg_match('/\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)$/i', $userFile)) {
    exit('The specified filename is prohibited by the system!');
}
$targetPath = $baseDirectory . $activePath . '/' . $userFile;

3. Global Variable Overwrite

---

The file include/common.inc.php improperly processes global variables, allowing them to be overwritten, which can lead to security issues.

Patch

Replace the loop that processes $_GET, $_POST, and $_COOKIE (around line 101) with:

foreach (['_GET', '_POST', '_COOKIE'] as $superGlobal) {
    foreach ($$superGlobal as $key => $value) {
        if (strlen($key) > 0 && preg_match('/^(cfg_|GLOBALS)/', $key)) {
            exit('Request variable not allowed!');
        }
        $$key = applyMagicQuotes($value);
    }
}

4. SESSION Variable Overwrite Leading to SQL Injection

---

In include/common.inc.php, the check for variable names does not include _SESSION, allowing session variables to be overwritten and potentially exploited for SQL injection.

Patch

Modify the regular expression in the vulnerable section (around line 68) to include _SESSION:

if (strlen($sessionVar) > 0 && preg_match('/^(cfg_|GLOBALS|_GET|_POST|_COOKIE|_SESSION)/', $sessionVar)) {
    // ...
}

5. SQL Injection in Alipay Payment Module

---

The file include/payment/alipay.php is susceptible to SQL injection via the order number parameter.

Patch

Sanitize the out_trade_no parameter (around line 136) by adding a call to addslashes():

$orderNumber = trim(addslashes($_GET['out_trade_no']));

6. SQL Injection in Guestbook Module

---

The guestbook editing functionality in plus/guestbook/edit.inc.php is vulnerable to SQL injection through the message content.

Patch

Before the SQL query (around line 55), sanitize the message variable:

$messageContent = addslashes($messageContent);
$database->executeUpdate("UPDATE `#@__guestbook` SET `msg`='$messageContent', `posttime`='".time()."' WHERE id='$guestbookId' ");

7. Image Upload Bypass in Upload Handler

---

The upload handler in include/uploadsafe.inc.php can be bypassed to upload non-image files disgiused as images.

Patch

Modify the code around line 42 to include a check for valid image types:

${$fileKey . '_size'} = @filesize($$fileKey);
$allowedMimeTypes = ["image/pjpeg", "image/jpeg", "image/gif", "image/png", "image/xpng", "image/wbmp", "image/bmp"];
if (in_array(strtolower(trim(${$fileKey . '_type'})), $allowedMimeTypes)) {
    $imageDimensions = @getimagesize($$fileKey);
    if ($imageDimensions === false) {
        continue;
    }
    if (!is_array($imageDimensions)) {
        exit('Uploaded file type is not allowed!');
    }
}

Also, modify the code around line 53 to ensure the image check is robust:

$imageDimensions = @getimagesize($$fileKey);
if ($imageDimensions === false) {
    continue;
}