Go to computer terminal for registration
Recently, JD Cloud Security team has monitored that some security researchers disclosed a high-risk vulnerability in remote code execution for the full series of version of ECShop.
The template variable of display function in user.php file of ECShop is controllable, resulting in injection.
The full series version of ECShop is composed of 2.x, 3.0.x, 3.6.x etc.
Forced data type conversion is strongly recommended before the official patch update
Modify include/lib_insert.php cast $arr[id] and $arr[num] into int type as the following example:
JD Cloud team2018-09-05 18:01:54