2005-12-16 12:49:53 by: h4x0r
CSDN Blog存在跨站漏洞!
描述:
DotText 是一个开放来源weblog 系统由 Scott Watermasysk 基于ASP.NET 。某一weblog 系统是基本在 dottext .
下载地址:
http://www.gotdotnet.com/Community/Workspaces/workspace.aspx?id=e99fccb3-1a8c-42b5-90ee-348f6b77c407
让我们看一下漏洞文件:
Referrers.aspx.cs
测试方法: http://X/<script>alert('h4x0r')</script>
PS:下面测试的是CSDN Blog 0.99版本 By h4x0r
Comments Feed: http://www.4evil.org/feed.asp?q=comment&id=375
DotText 是一个开放来源weblog 系统由 Scott Watermasysk 基于ASP.NET 。某一weblog 系统是基本在 dottext .
下载地址:
http://www.gotdotnet.com/Community/Workspaces/workspace.aspx?id=e99fccb3-1a8c-42b5-90ee-348f6b77c407
让我们看一下漏洞文件:
Referrers.aspx.cs
if (dataContainer is Referrer)
{
Referrer referrer = (Referrer) dataContainer;
return "<a href=\"" + referrer.ReferrerURL + "\" target=\"_new\">" + referrer.ReferrerURL.Substring(0,referrer.ReferrerURL.Length > 50 ? 50 : referrer.ReferrerURL.Length) + "</a>";
}
{
Referrer referrer = (Referrer) dataContainer;
return "<a href=\"" + referrer.ReferrerURL + "\" target=\"_new\">" + referrer.ReferrerURL.Substring(0,referrer.ReferrerURL.Length > 50 ? 50 : referrer.ReferrerURL.Length) + "</a>";
}
测试方法: http://X/<script>alert('h4x0r')</script>
PS:下面测试的是CSDN Blog 0.99版本 By h4x0r
[Last Modified By h4x0r, at 2007-02-19 21:17:06]
Comments Feed: http://www.4evil.org/feed.asp?q=comment&id=375
There is no comment on this article.
