The DedeCMSV53 any variable coverage holes

DedeCMSV53 released, but still not the variable thorough repair coverage holes.¬†This loophole and ryat in that very similar ūüôā
See the code in the core file include / common.inc.php

  1. //
  2. foreach($_REQUEST as $_k=>$_v)
  3. {
  4. ¬†¬†¬†¬†if(¬†strlen($_k)>0¬†&&¬†eregi(‘^(_|cfg_|GLOBALS)’,$_k)¬†&&¬†!isset($_COOKIE[$_k])¬†)//?
  5.     {
  6. ¬†¬†¬†¬†¬†¬†¬†¬†exit(‘Request¬†var¬†not¬†allow!’);
  7.     }
  8. }

This place can be bypassed by submitting _COOKIE variable filter cfg_ keyword followed by the code of the registered variable

  1. foreach(Array(‘_GET’,‘_POST’,‘_COOKIE’)¬†as¬†$_request)
  2. {
  3.     foreach($$_request as $_k => $_v) ${$_k} = _RunMagicQuotes($_v);
  4. }

Then initialize the variable

  1. //
  2. require_once(DEDEDATA.‘/common.inc.php’);
  3. //
  4. require_once(DEDEDATA.“/config.cache.inc.php”);

Seemingly can not use, but fortunately this piece of code in the final document

  1. //?
  2. if($_FILES)
  3. {
  4. ¬†¬†¬†¬†require_once(DEDEINC.‘/uploadsafe.inc.php’);
  5. }

Look what we uploadsafe.inc.php

  1. foreach($_FILES as $_key=>$_value)
  2. {
  3.     foreach($keyarr as $k)
  4.     {
  5.         if(!isset($_FILES[$_key][$k]))
  6.         {
  7. ¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†exit(‘Request¬†Error!’);
  8.         }
  9.     }
  10. ¬†¬†¬†¬†$$_key¬†=¬†$_FILES[$_key][‘tmp_name’]¬†=¬†str_replace(“////”,“//”,$_FILES[$_key][‘tmp_name’]);
  11. ¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†//?common.inc.php?$_FILES[$_key][‘tmp_name’]¬†

By submitting similar common.inc.php? _FILES [Cfg_xxxx the [tmp_name] = aaaaaa & …… to cover cfg_xxxx
Use the time to pay attention to the cookie assignment, while bypass uploadsafe.inc.php inside judgments