EC-CUBE®

脆弱性

ディレクトリトラバーサル 及び XSS の脆弱性

  • 情報公開日:2010年 02月 08日
  • 危険度:中
  • 対象:Ver 2.4.3 未満
-------------------------------------------------------------------
■不具合が存在するEC-CUBEのバージョン
-------------------------------------------------------------------
EC-CUBE 正式版  2.4.3 未満 (2010年2月8日公開)

-------------------------------------------------------------------
■修正方法について(以下は Ver2.4.2 からの修正点となっております。)
-------------------------------------------------------------------
以下、①~④までを修正して下さい。
(参照:http://svn.ec-cube.net/open_trac/changeset/18559)

※EC-CUBE 2.3.0未満をお使いの場合は、ページ最下部の「※追記」もあわせてご確認下さい。

①/data/class/pages/admin/contents/LC_Page_Admin_Contents.php
の以下のコードを変更します。

■83行目付近
-------------------------------------------------------------------
 変更前
-------------------------------------------------------------------
if ($this->arrErr = $this->lfErrorCheck()) { // 入力エラーのチェック 
    foreach($_POST as $key => $val) { 
        $this->$key = $val;
-------------------------------------------------------------------

-------------------------------------------------------------------
 変更後
-------------------------------------------------------------------
if ($this->arrErr = $this->lfErrorCheck()) { // 入力エラーのチェック 
    $arrParams = array("news_url", "news_title", "news_comment", "link_method"); 

    foreach($arrParams as $key) { 
        $this->$key = $_POST[$key]; 
-------------------------------------------------------------------

②/data/class/pages/campaign/LC_Page_CampaignEntry.php
の以下のコードを変更します。

■90行目付近
-------------------------------------------------------------------
 変更前
-------------------------------------------------------------------
array(  "column" => "email2", "convert" => "a" ), 
array(  "column" => "email_mobile", "convert" => "a" ), 
array(  "column" => "email_mobile2", "convert" => "a" ), 
-------------------------------------------------------------------

-------------------------------------------------------------------
 変更後
-------------------------------------------------------------------
array(  "column" => "email02", "convert" => "a" ), 
array(  "column" => "email_mobile", "convert" => "a" ), 
array(  "column" => "email_mobile02", "convert" => "a" ),
-------------------------------------------------------------------


■102行目付近
-------------------------------------------------------------------
 変更前
-------------------------------------------------------------------
array(  "column" => "birth", "convert" => "n" ), 
array(  "column" => "reminder", "convert" => "n" ), 
-------------------------------------------------------------------

-------------------------------------------------------------------
 変更後
-------------------------------------------------------------------
array(  "column" => "birth", "convert" => "n" ), 
array(  "column" => "year",  "convert" => "n"), 
array(  "column" => "month", "convert" => "n"), 
array(  "column" => "day",   "convert" => "n"), 
array(  "column" => "reminder", "convert" => "n" ), 
-------------------------------------------------------------------

■130行目付近
-------------------------------------------------------------------
 変更前
-------------------------------------------------------------------
if ($this->arrErr || $_POST["mode"] == "return") { // 入力エラーのチェック 
    foreach($this->arrForm as $key => $val) { 
        $this->$key = $val; 
    }
-------------------------------------------------------------------

-------------------------------------------------------------------
 変更後
-------------------------------------------------------------------
if ($this->arrErr || $_POST["mode"] == "return") { // 入力エラーのチェック 
    foreach($arrRegistColumn as $key) { 
        $this->$key['column'] = $this->arrForm[$key['column']]; 
    }
-------------------------------------------------------------------

③/data/class/pages/contact/LC_Page_Contact.php
の以下のコードを変更します。

■88行目付近
-------------------------------------------------------------------
 変更前
-------------------------------------------------------------------
array(  "column" => "email",       "convert" => "a" ), 
array(  "column" => "tel01",       "convert" => "n" ),
-------------------------------------------------------------------

-------------------------------------------------------------------
 変更後
-------------------------------------------------------------------
array(  "column" => "email",       "convert" => "a" ), 
array(  "column" => "email02",     "convert" => "a" ), 
array(  "column" => "tel01",       "convert" => "n" ),
-------------------------------------------------------------------

■110行目付近
-------------------------------------------------------------------
 変更前
-------------------------------------------------------------------
    $this->tpl_title = 'お問い合わせ(確認ページ)'; 
} else { 
    foreach ($this->arrForm as $key => $val){ 
        $this->$key = $val; 
} 
-------------------------------------------------------------------

-------------------------------------------------------------------
 変更後
-------------------------------------------------------------------
    $this->tpl_title = 'お問い合わせ(確認ページ)'; 
} else { 
    foreach ($arrConvertColumn as $key) { 
        $this->$key['column'] = $this->arrForm[$key['column']]; 
    }
} 
-------------------------------------------------------------------

■117行目付近
-------------------------------------------------------------------
 変更前
-------------------------------------------------------------------
case 'return': 
foreach ($_POST as $key => $val){ 
    $this->$key = $val; 
}
-------------------------------------------------------------------

-------------------------------------------------------------------
 変更後
-------------------------------------------------------------------
case 'return': 
foreach ($arrConvertColumn as $key) { 
    $this->$key['column'] = $_POST[$key['column']]; 
} 
-------------------------------------------------------------------

④/data/class/pages/entry/LC_Page_Entry.php
の以下のコードを変更します。

■101行目付近
-------------------------------------------------------------------
 変更前
-------------------------------------------------------------------
array(  "column" => "email2", "convert" => "a" ), 
array(  "column" => "email_mobile", "convert" => "a" ), 
array(  "column" => "email_mobile2", "convert" => "a" ), 
-------------------------------------------------------------------

-------------------------------------------------------------------
 変更後
-------------------------------------------------------------------
array(  "column" => "email02", "convert" => "a" ), 
array(  "column" => "email_mobile", "convert" => "a" ), 
array(  "column" => "email_mobile02", "convert" => "a" ), 
-------------------------------------------------------------------

■113行目付近
-------------------------------------------------------------------
 変更前
-------------------------------------------------------------------
array(  "column" => "birth", "convert" => "n" ), 
array(  "column" => "reminder", "convert" => "n" ), 
-------------------------------------------------------------------

-------------------------------------------------------------------
 変更後
-------------------------------------------------------------------
array(  "column" => "birth", "convert" => "n" ), 
array(  "column" => "year", "convert" => "n" ), 
array(  "column" => "month", "convert" => "n" ), 
array(  "column" => "day", "convert" => "n" ), 
array(  "column" => "reminder", "convert" => "n" ), 
-------------------------------------------------------------------

■170行目付近
-------------------------------------------------------------------
 変更前
-------------------------------------------------------------------
if ($this->arrErr || $_POST["mode"] == "return") { // 入力エラーのチェック 
    foreach($this->arrForm as $key => $val) { 
        $this->$key = $val; 
    }
-------------------------------------------------------------------

-------------------------------------------------------------------
 変更後
-------------------------------------------------------------------
if ($this->arrErr || $_POST["mode"] == "return") { // 入力エラーのチェック 
    foreach($arrRegistColumn as $key) { 
        $this->$key['column'] = $this->arrForm[$key['column']];
    }
-------------------------------------------------------------------

■317行目付近
-------------------------------------------------------------------
 変更前
-------------------------------------------------------------------
array(  "column" => "email2", "convert" => "a" ), 
array(  "column" => "email_mobile", "convert" => "a" ), 
array(  "column" => "email_mobile2", "convert" => "a" ), 
-------------------------------------------------------------------

-------------------------------------------------------------------
 変更後
-------------------------------------------------------------------
array(  "column" => "email02", "convert" => "a" ), 
array(  "column" => "email_mobile", "convert" => "a" ), 
array(  "column" => "email_mobile02", "convert" => "a" ), 
-------------------------------------------------------------------

■332行目付近
-------------------------------------------------------------------
 変更前
-------------------------------------------------------------------
array(  "column" => "birth", "convert" => "n" ), 
array(  "column" => "reminder", "convert" => "n" ), 
-------------------------------------------------------------------

-------------------------------------------------------------------
 変更後
-------------------------------------------------------------------
array(  "column" => "birth", "convert" => "n" ), 
array(  "column" => "year", "convert" => "n" ), 
array(  "column" => "month", "convert" => "n" ), 
array(  "column" => "day", "convert" => "n" ), 
array(  "column" => "reminder", "convert" => "n" ), 
-------------------------------------------------------------------

■384行目付近
-------------------------------------------------------------------
 変更前
-------------------------------------------------------------------
foreach($this->arrForm as $key => $val) { 
    $this->$key = $val; 
} 
-------------------------------------------------------------------

-------------------------------------------------------------------
 変更後
-------------------------------------------------------------------
foreach($arrRegistColumn as $key) { 
    $this->$key['column'] = $this->arrForm[$key['column']]; 
} 
-------------------------------------------------------------------

※【追記】
EC-CUBE 2.3.0 未満をお使いの場合は、上記に加え、以下の修正も必要です。
あわせてご対応をお願いいたします。
(EC-CUBE 2.3.0 以上のバージョンでは以下の対応は必要ありません。)

対象:
EC-CUBE 正式版  2.3.0 未満 の2系
2008/09/18(r17616)より前のナイトリービルド版

⑤/data/class/pages/mypage/LC_Page_Mypage_DeliveryAddr.php
の以下のコードを変更します。

■112行目付近
-------------------------------------------------------------------
 変更前
-------------------------------------------------------------------
if ($this->arrErr){ 
    foreach ($_POST as $key => $val){ 
        $this->$key = $val; 
    }
-------------------------------------------------------------------

-------------------------------------------------------------------
 変更後
-------------------------------------------------------------------
if ($this->arrErr){ 
    foreach ($_POST as $key => $val){ 
        if ($val != "") $this->arrForm[$key] = $val; 
    } 
-------------------------------------------------------------------
  1. ホーム
  2. 脆弱性

EC-CUBE公式アドバイザー
ご相談窓口

  • 他社のASPやパッケージとの違いを知りたい
  • BtoCのサイトにBtoB機能を追加したい
  • 何から手をつければよいかわからない
  • オープンソースならではの注意事項を知りたい
  • 自社にマッチした制作会社を探したい
  • サイト制作だけでなく運営もサポートしてほしい

新規構築・リニューアル・取引先向けのWeb受発注システム(BtoB)や事業の拡大など、
今抱えている課題を解決する最適な業者探しを、アドバイザーがお手伝いします。