Focus on the Z-blog feed and the security implications

Intermediary transaction http://www.aliyun.com/zixun/aggregation/6858.html ">seo diagnose Taobao guest cloud host technology Hall

Z-blog feed is divided into static feed, dynamic feed two kinds:

The static Feed:z-blog system can generate two kinds of static XML seeds through the background "index rebuild" function:

1, RSS2.0 standard format file, file name is rss.xml--such as: Http://www.zhengzhouseo.org/rss.xml

2, Atom1.0 standard format file, format for/feed.asp?atom--such as: Http://www.zhengzhouseo.org/feed.asp?atom

Second, the dynamic Feed:z-blog system can also through the feed.asp file, the blog some of the data into dynamic RSS2.0 standard XML seed, easy to subscribe to readers. A user can subscribe to a specific content by invoking the parameters in the feed file-for example, the user only focuses on specific columns of the blog, at which point, simply call the relevant parameters in the feed file to subscribe to the column.

Z-blog System feed provides a variety of parameter calls to fully meet the user's personalized needs, the parameters are summarized as follows:

Parameter valid value default value description

Cate Category ID no output a category article RSS

tags tagid no corresponding tag recent article RSS

User ID does not have the most recently published article RSS

Date year-month without corresponding year-month part of the article RSS

CMT Article ID output the latest comment on the entire station latest comments RSS

GB no message this latest message

Feed security Risks: Feed security risks are mainly reflected in the dynamic feed user parameter call (subscribe to a user recently published article), usually using Http://blog address/feed.asp?user=id subscribe to z-blog A user's latest article, The program calls this user's account as the title of the page. Especially in the use of Http://blog address/feed.asp?user=1 subscribe to the latest article, the Administrator account will appear in a larger font in the title of the page, the administrator account is exposed, the system safety factor significantly reduced.

Feed User Vulnerability Resolution: In the site feed.asp file to navigate to "function Exportrssbyuser (UserID)" This function--feed the user parameter call function, in the function found "username=users" ( UserID). Name "Line of code (program line 151th), directly modify the value of the variable UserName, such as:" Username= "Wang", so that the administrator account can effectively avoid the leak.

Extended reading:

If you feel the Z-blog program default feed page title is too monotonous, can be appropriately modified. To modify, navigate to the Css/rss.xslt file, look for the "" tab, and then add the custom title before and after the tag, such as: "RSS Feed-

Noun Explanation:

Feed, the original intention is "feed, raise, (news) broadcast, etc.", RSS subscription will be used in the process of "feed", is in this sense to extend, indicating that this is used to receive updates of the information source interface; Feed is to meet the needs of some form to continue to get their own updates to provide the format of the standard of information exports, you can understand that your blog page is for people to read, and feed is read to the program. More see feed_ Baidu Encyclopedia.

This article for www.zhengzhouseo.org original starting, reprint must indicate the source!