IdeaCMS system overall defense document

I. program vulnerabilities 1And cross-site vulnerabilities.Guestbook. asp,Resume. aspWhen adding data to these two files, the obtained parameters are not filtered and can be used for cross-site attacks. 2,CookieInjection Vulnerability.Or are the two files used when getting parameters?Request ("Parameter name")In this way, even if a general anti-injection system is availableCookieInjection bypasses it and submits dangerous characters. 3,SessionSpoofing Vulnerability.BackgroundAdmin/chkuser. aspTo verify that the logon program exists.SessionSpoofing Vulnerability. 4, Background injection, and cross-site vulnerabilities.Background Program injection and cross-site problems are basically not considered and are not processed at all (this is a common problem for many programmers, many of which are old programmers who have been engaged in programming for many years. Remember: the treasure of a thousand miles, break the ant nest !) 5File Upload Vulnerability."Website management" in the background">In the "Upload Settings" column, you can modify the type of the file extension to allow users to upload various types of webpage Trojans at will. (This is a loophole, which is a bit embarrassing for programmers who write this program, people have made settings, which will be explained in detail later ). 6, BackgroundAdmin/Check_UserName.asp.Alas, this file really does not know what the program writer wants to do. It is estimated that it is convenient for you to debug the program and forget to delete it at the end of the release, really should not (the salary will be deducted if it is viewed by the leader ). 7, Verification code vulnerability.There is no verification code for background logon, which can be cracked. Ii. Modification Scheme 1Add a parameter filter function.According to the above1,4Due to loose parameter filtering, injection and cross-site issues are caused.1Character filtering function. This function is called when every parameter is taken. It can prevent injection. The Code is as follows: Function CheckPara (ParaName, ParaType) ParaName:Parameter Name-character typeParaType:Parameter type-numeric type(1The preceding parameters are numbers,0The preceding parameter is a character.) Dim ParaValue ParaValue = Request (ParaName) If ParaType = 1 then If not isNumeric (ParaValue) then Response. write"Parameters"& ParaName &"It must be a number!" Response. end End if Else ParaValue = replace (ParaValue ,"'","''") End if CheckPara = ParaValue End function This is an anti-injection function many years ago. It seems to beNBBut it is still effective for injection. In the current anti-injection system, there are many blocking items for the parameter type, and I personally think it is not reasonable. It's a very simple strategy. In a technical forum, someone asksSQLHow to write the statement, then he estimated that he had to linger in the illegal character dialog box in his life. In the end, injection must be closed.SQLStatement, that is, to use single quotes to close the statement, you can just block the single quotes. Finally, there is a cross-site problem. The vulnerability on this site can be writtenHtmlOrJsCode.<And>And the Code cannot be explained by the browser. In fact, the system has a pairHtmlCharacter filtering function, but the test site is useless. (1) Code file:Inc/Function. asp (2) Related code: **************************************** ********* Function Name:RemoveHTML For use: FilterHTMLCode Parameters:StrHTML ----Original string Returned value: the filtered string. **************************************** ********* Function RemoveHTML (strHTML) Dim objRegExp, Match, Matches Set objRegExp = New Regexp ObjRegExp. IgnoreCase = True ObjRegExp. Global = True Take closed<> ObjRegExp. Pattern = "<. +?> " Matching Set Matches = objRegExp. Execute (strHTML) Traverse the matching set and replace the matched items For Each Match in Matches StrHtml = Replace (strHTML, Match. Value ,"") Next RemoveHTML = strHTML Set objRegExp = Nothing End Function We can also write anti-injection and anti-cross-site functions to facilitate operations. As for Cross-Site knowledge, which day anti-DDoS pro will not be available in the scope of our discussion?XSSColumn, and study it together. 2, Correct value to preventCookieInjection.Above problems2To avoidCookieInjection, first understandAsp Request. QueryString,Request. Form,RequestThis3Method. Before2There's nothing to say, just1TimesRequest. QueryString,Request. Form. Exactly