乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-05-10: 积极联系厂商并且等待厂商认领中,细节不对外公开 2013-05-10: 厂商已经主动忽略漏洞,细节向公众公开
addview.asp没有对用户身份进行验证,导致可以随意对新闻进行评论
<%reviewID=checkstr(Request.Form("reviewID"))NewsID=checkstr(Request.Form("NewsID"))title=checkstr(Request.Form("title"))Author=trim(checkstr((Request.Form("Author"))))dim ViewUrlViewUrl=request.cookies(eChsys)("ViewUrl")if ViewUrl="" then ViewUrl="index.asp"end ifif author="" then response.write "<script>alert('请输入您的姓名!');history.back()</script>" Response.Endend ifauthor=htmlencode(author)email=trim(Request.Form("email"))if email="" then response.write "<script>alert('请输入您的EMAIL。');history.back()</script>" Response.Endend ifif IsValidEmail(email)=false then response.write "<script>alert('请输入正确的EMAIL。');history.back()</script>" Response.Endend ifif Instr(request("content"),"'")>0 or Instr(request("content"),"script")>0 or Instr(request("content"),"onClick")>0 or Instr(request("content"),"onload")>0 then Show_Err("对不起,您输入的留言内容包含有非法字符。<br><br><a href='javascript:history.back()'>返回</a>") Response.End end ifcontent=trim(htmlencode1((request.form("content"))))content=replace(content,"<p> ","")content=replace(content,"<P> ","")Response.cookies(eChsys)("content")=contentdim byte1byte1=split(byteType,"|")for i=0 to ubound(byte1) content=replace(content,trim(byte1(i)),"***")nextdim byte2byte2=split(byteipType,"|")for i=0 to ubound(byte2)if Request.serverVariables("REMOTE_ADDR")=byte2(i) then Show_Err("对不起,你的IP地址已被锁定,请联系管理员!!!。<br><br><a href='javascript:history.back()'>返回</a>") Response.cookies(eChsys)("content")="" Response.End end ifnextdim byte3byte3=split(bytezfType,"|")for i=0 to ubound(byte3)if Instr(request("content"),byte3(i))>0 then Show_Err("对不起,请不要发布非法小广告!!!。<br><br><a href='javascript:history.back()'>返回</a>") Response.cookies(eChsys)("content")="" Response.End end ifnextif content="" then response.write "<script>alert('请输入评论内容!');history.back()</script>" Response.Endend ifset rs=server.createobject("adodb.recordset")sql="select * from "& db_EC_News_Table &" where NewsId=" & NewsIdrs.open sql,conn,1,3if rs.eof and rs.bof then rs.close set rs=nothing response.write "<script>alert('无法对不存在的文章进行评论!\n 确认是否为非法的提交。');history.back()</script>" response.endelse checked=rs("checkked") if checked<>1 then rs.close set rs=nothing response.write "<script>alert('文章未通过审核,不能进行评论!');history.back()</script>" response.end else rs("titlesize")=1 rs.update rs.close reviewip=Request.ServerVariables("REMOTE_ADDR") passed=checkstr(Request.Form("passed")) //评论是否通过flag竟然交给用户来提交! set rs=server.createobject("adodb.recordset") sql="select * from "& db_EC_Review_Table &"" rs.open sql,conn,1,3 rs.addnew rs("author")=author rs("content")=content rs("title")=title rs("NewsID")=NewsID rs("passed")=passed rs("reviewip")=reviewip rs("email")=email rs("updatetime")=now() rs.update rs.close reviewid=reviewID+1 set rs=nothing Response.cookies(eChsys)("content")="" end ifend ifResponse.Redirect ViewUrl%>
提交内容包含newsid、passed、title、content、author、email就可以绕过评论审核机制直接对newsid对应的新闻进行评论了
addview.asp页面加入用户认证、验证码passed flag只能由管理员控制
未能联系到厂商或者厂商积极拒绝