Tosec Information Security Team (Www.tosec.cn)
Original Vulnerability
Affected Versions:
Only 8684. CN similar bus Program
Description:
Cross-Site vulnerabilities are directly generated because the program does not pass through strict query.
Attack test code http://beijing.8684.cn/so.php? K = pp & q = test "> <"
Test attack site http://beijing.8684.cn/so.php? K = pp & q = test "> <"
Vulnerability Analysis:
Vulnerability page: ask. php
Brief description: there is no strict planning for the city data behind the page, so that cross-site data is generated again.
Test site: http://hi.8684.cn/
Q & A is a program used by netizens to query site routes. It was developed based on UCH. Recently, we have contacted related personnel to notify 8684 about management and repair and developed related patches.
As described by the other programmer, the related filtering has been completed to improve the security performance. Therefore, we discuss the filtering with the other programmer.
Continue with the analysis of the 7.15 Security repair Q & A program. We enter the following address to check whether the original vulnerability still exists.