PJBlog个人博客系统Getarticle.asp页面跨站脚本攻击漏洞
Posted by adminMay 11
影响版本:PJBlog 3.0.6.170
程序介绍:
PJBlog一套开源免费的中文个人博客系统程序,采用asp+Access的技术,具有相当高的运作效能以及更新率,也支持目前Blog所使用的新技术。
漏洞分析:
在文件Getarticle.asp中:
blog_postFile = request("blog_postFile") //第14行 ...... If Ifmore or thispage<>1 then //第100行 OutPut=OutPut&" <strong>模式:</strong> <a style="cursor:pointer" onclick="check('Getarticle.asp?id="&id&"&act=more&blog_postFile="&blog_postFile&"','wbc_tag','wbc_tag')">全部显示[共"&total_rela&"个相关文章]</a> "
程序没有对输出变量blog_postFile做过滤导致xss漏洞的产生。
漏洞利用:
http://www.target.com/Getarticle.asp?id=1&blog_postFile=xxxx%22%20)>[XSS]&page=2
解决方案:
厂商补丁:
PJblog
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://bbs.pjhome.net/thread-52214-1-1.html
信息来源:
<*来源: Bug.Center.Team http://www.cnbct.org
链接: http://wavdb.com/vuln/1409 *>
8 comments
Trackback by Vicodin. on April 16, 2010 at 9:58 am
Vicodin....
Buy vicodin online. Convert vicodin to oxycotin. Vicodin. Vicodin without prescription....
Trackback by Keflex. on April 16, 2010 at 9:00 pm
Keflex....
Keflex....
Trackback by Meridia. on April 17, 2010 at 2:47 am
Meridia reviews....
Meridia side effects. Meridia. Buy meridia cheap. Meridia diet pill....
Trackback by Darvocet vs vicodin. on April 17, 2010 at 2:04 pm
Forum vicodin buy vicodin online....
Vicodin. Dangers of vicodin. Vicodin detox. Long term vicodin use. Vicodin withdrawal. Order vicodin....
Trackback by Zoo sex. on April 18, 2010 at 11:02 am
Zoo sex....
Zoo sex....
Trackback by Free pussy. on April 19, 2010 at 11:40 am
Eating pussy....
Free pussy. Pussy. Old pussy. Free teen pussy. Eating pussy....
Trackback by Cheap adipex. on April 24, 2010 at 11:36 am
Adipex....
Adipex. Adipex 37.5....
Trackback by Cheap flights to houston tx. on April 25, 2010 at 9:55 am
Cheap flights....
Cheap international flights. Cheap flights. Cheap flights from dfw to mombasa. Cheap flights to new zealand....
You must be logged in to post a comment.