UCenter防止恶意访问利用验证码CCCC漏洞(安全加固)
功能说明:uc_server/admin.php是ucenter默认的后台地址,正常情况下可以直接访问,为了防止某些恶意访问的情况,可以修改以下内容进行安全性能提升。适用版本:Discuz!x1-x3.4适用情况:ucenter在论坛根目录下
修改后效果:未登录Discuz论坛或不在指定的管理组,打开uc_server/admin.php提示404
具体实施方案:
打开uc_server/model/admin.php
搜索
$this->cookie_status = isset($_COOKIE['sid']) ? 1 : 0;在下面加入以下代码
if(!$this->cookie_status){
include UC_ROOT.'../config/config_global.php';
$cookiepre = $_config['cookie']['cookiepre'].substr(md5($_config['cookie']['cookiepath'].'|'.$_config['cookie']['cookiedomain']), 0, 4).'_';
$auth = addslashes($_COOKIE[$cookiepre.'auth']);
if(empty($_config['cookie']['saltkey'])) {
$_config['cookie']['saltkey'] = addslashes($_COOKIE[$cookiepre.'saltkey']);
}
$authkey = md5($_config['security']['authkey'].$_config['cookie']['saltkey']);
$auth = daddslashes(explode("\t", $this->dauthcode($auth, 'DECODE',$authkey)));
list($discuz_pw, $discuz_uid) = empty($auth) || count($auth) < 2 ? array('', '') : $auth;
$discuz_uid = intval($discuz_uid);
$groupid = $this->db->result_first("SELECT groupid FROM ".$_config['db']['tablepre']."common_member WHERE uid='$discuz_uid'");
if(!in_array($groupid,array('1','2'))){
header("HTTP/1.1 404 Not Found");header("Status: 404 Not Found");exit;
}
}小提示:其中这里增加用户组
array('1','2')搜索function __construct() {
$this->adminbase();
}后面加入
**** Hidden Message *****修改好的下载:
**** Hidden Message *****
本帖由科站网原创
我正好需要这个东西 感谢楼主分享~ 好深奥啊
页:
[1]