PJBlog个人博客系统Action.asp页面跨站脚本攻击漏洞
Posted by adminMay 11
影响版本:PJBlog 3.0.6.170
程序介绍:
PJBlog一套开源免费的中文个人博客系统程序,采用asp+Access的技术,具有相当高的运作效能以及更新率,也支持目前Blog所使用的新技术。漏洞分析:
在文件Action.asp中:
elseif request("action")="type1" then //第23行 dim mainurl,main,mainstr mainurl=request("mainurl") main=trim(checkstr(request("main"))) response.clear() mainstr="" If Len(memName)>0 Then mainstr=mainstr&"<img alt="" /> <a>"&main&"</a>"
程序对于输出变量mainurl和main没有过滤导致xss漏洞的产生。在同文件42行代码类似
漏洞利用:
http://www.target.com/Action.asp?action=type1&mainurl=xxx">[XSS]
解决方案:
厂商补丁:
PJblog
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://bbs.pjhome.net/thread-52214-1-1.html
信息来源:
<*来源: Bug.Center.Team http://www.cnbct.org
链接: http://wavdb.com/vuln/1408 *>
3 comments
Trackback by Vicodin vicodin. on April 16, 2010 at 10:19 am
Online vicodin....
Best place to buy vicodin. Vicodin. Vicodin addiction. Online vicodin....
Trackback by Oxycodone. on April 16, 2010 at 1:30 pm
Oxycodone online....
Oxycodone online without a prescription. 60 mg oxycodone. Difference between oxycodone and morphine. Oxycodone. Oxycodone prescription....
Trackback by Cheap tramadol. on April 16, 2010 at 10:32 pm
Buy online cheap and fast tramadol....
Cheap tramadol. Buy online cheap and fast tramadol. Tramadol cheap no rx free overnight shipping. Cheap tramadol platinum rx. Buy cheap tramadol mg tablets only in us online. Tramadol cheap no rx....
You must be logged in to post a comment.