[Vulnerability Warning] High Risk Vulnerabilities in ECShop Remote Code Execution

2018-09-05 18:01:54
Dear user

Recently, JD Cloud Security team has monitored that some security researchers disclosed a high-risk vulnerability in remote code execution for the full series of version of ECShop.


Vulnerability Details

The template variable of display function in user.php file of ECShop is controllable, resulting in injection.


Risk Level

Severe


Influence Scope

The full series version of ECShop is composed of 2.x, 3.0.x, 3.6.x etc.


Repairing Suggestion

Forced data type conversion is strongly recommended before the official patch update

Modify include/lib_insert.php cast $arr[id] and $arr[num] into int type as the following example:

$arr[id]=intval($arr[id])    $arr[num]=intval($arr[num])


JD Cloud team

2018-09-05 18:01:54