|
发表于 2006-7-31 23:50:47
|
显示全部楼层
<div class="msgheader">QUOTE:</div><div class="msgborder"><b>以下是引用<i>qaddf133</i>在2006-7-31 12:17:49的发言:</b><br/><p>自己搞定吧.找好给你了.修补.</p><p></p><p>动网mymodify.asp对提交的自定义头像内容过滤不严,导致头像中可以写入跨站代码。<br/>动网头像分myface(内置头像)和face(自定义头像),如果myface的提交值为空,就使用face的提交值。采用如下过滤方式:<br/>face=Dv_FilterJS(Replace(face,"'",""))<br/>face=Replace(face,"..","")<br/>face=Replace(face,"\","/")<br/>face=Replace(face,"^","")<br/>face=Replace(face,"#","")<br/>face=Replace(face,"%","")<br/>face=Replace(face,"|","")<br/>face=Left(face,200)<br/>其中"Dv_FilterJS"的部分内容如下:<br/>Function Dv_FilterJS(v)<br/>..............<br/>re.Pattern="(script)" <br/>t=re.Replace(t,"<I>script</I>") '将字符script替换为<I>script</I><br/>re.Pattern="(js:)"<br/>t=re.Replace(t,"<I>js:</I>")<br/>...............<br/>End Function<br/><br/>这里,动网犯了一个逻辑错误,在代码未检测完之前就进行了过滤,如果提交的是: javasc|ript,或是 javasc^ript ,就能绕过动网的过滤。<br/><br/>修补方法:<br/>对replace采取如下过滤方式。<br/><br/>face=Dv_FilterJS(Replace(face,"'","''")) 'JMDCW 2006-06-22<br/>face=Replace(face,"\","/")<br/>face=Replace(face,"^","&#94;")<br/>face=Replace(face,"#","&#35;")<br/>face=Replace(face,"%","&#37;")<br/>face=Replace(face,"|","&#124;")<br/>face=Replace(face,"..","&#46&#46;")<br/>face=Replace(face," ","&nbsp;") 'TAB值<br/></p></div><p>呵呵,没做坏事就好</p> |
|