Fengshen news management static version 1.7 vulnerability and repair

Release date: 2011-01.26
Author: LinkEr

Affected Version: V1.7 static version
Http://www.strongfire.cn/

Vulnerability Type: design defect
Vulnerability Description: Fengshen news management static edition 1.7 has multiple vulnerabilities.

#1.1
Background verification file wwwroot/admin/islogin. asp

========================================================== ========================================================== ====
<%
If session ("admin") = "" then
Response. Write ("<br> <div align = center> you have not logged on or the operation times out. Please <a href = login. asp

Target = _ top> login </a>. </div> ")
Response. End ()
End if
If instr (request. servervariables ("http_referer"), "http: //" & request. servervariables ("http_host") <1

Then
Response. write "<br> <div align = center> prohibit external access to the management background </div>"
Response. End ()
End if
%>

========================================================== ========================================================== ====
The Client Spoofing vulnerability is not related to the authentication file.

========================================================== ========================================================== =
#1.1 wwwroot/admin/list. asp

<% @ LANGUAGE = "VBSCRIPT" CODEPAGE = "936" %>
<! -- # Include file = "admin_conn.asp" --> // note that islogin. asp is not included.

<Html>
<Head>
<LINK href = "admin_Css.css" type = text/css rel = stylesheet>

<Meta http-equiv = "Content-Type" content = "text/html; charset = gb2312"/>
<Title> modify information list </title>

<Style type = "text/css">
<! --
. STYLE1 {
Font-size: 14px;
Color: # 0000FF;
Font-weight: bold;
}
-->
</Style>
</Head>

<Body>
<Div align = "center">
<P> <br>
<Span class = "STYLE1"> Management homepage </span> </p>
<Table class = "table_back" width = "567" border = "0" cellspacing = "1" cellpadding = "0">
<Tr>
<Td colspan = "2"> <div align = "center" class = "table_title"> server-related parameters </div> </td>
</Tr>

 

<Tr>
<Td width = "115" class = "table_td2"> <div align = "left"> & nbsp; server name </div>
<Div align = "center"> </div> </td>
<Td width = "449" class = "table_td2"> & nbsp; <% = Request. ServerVariables ("SERVER_NAME") %> </td>
</Tr>
<Tr>
<Td class = "table_td2"> & nbsp; server IP address </td>
<Td class = "table_td2"> & nbsp; <% = Request. ServerVariables ("LOCAL_ADDR") %> </td>
</Tr>
<Tr>
<Td class = "table_td2"> & nbsp; server port </td>
<Td class = "table_td2"> & nbsp; <% = Request. ServerVariables ("SERVER_PORT") %> </td>
</Tr>
<Tr>
<Td class = "table_td2"> & nbsp; server time </td>
<Td class = "table_td2"> & nbsp; <% = now %> </td>
</Tr>
<Tr>
<Td class = "table_td2"> & nbsp; IIS version </td>
<Td class = "table_td2"> & nbsp; <% = Request. ServerVariables ("SERVER_SOFTWARE") %> </td>
</Tr>
<Tr>
<Td class = "table_td2"> & nbsp; script timeout </td>
<Td class = "table_td2"> & nbsp; <% = Server. ScriptTimeout %> seconds </td>
</Tr>
<Tr>
<Td class = "table_td2"> & nbsp; number of server CPUs </td>
<Td class = "table_td2"> & nbsp; <% = Request. ServerVariables ("NUMBER_OF_PROCESSORS") %> </td>
</Tr>
<Tr>
<Td class = "table_td2"> & nbsp; server interpretation engine </td>
<Td class = "table_td2"> & nbsp; <% = ScriptEngine & "/" & ScriptEngineMajorVersion

& "." & ScriptEngineMinorVersion & "." & ScriptEngineBuildVersion %> </td>
</Tr>
<Tr>
<Td class = "table_td2"> & nbsp; server operating system </td>
<Td class = "table_td2"> & nbsp; <% = Request. ServerVariables ("OS") %> </td>
</Tr>
<Tr>
<Td class = "table_td2"> & nbsp; FSO read/write </td> // the following code is omitted.
========================================================== ========================================================== =

#1.2 wwwroot/admin/dir. asp

<! -- # Include file = "dir. inc. asp" --> // For more information about dir. inc. asp, see #1.3.
<Meta HTTP-EQUIV = "Content-Type" CONTENT = "text/html; charset = gb2312"> // note that isiogin. asp is not included either.
<Html>
<Title> Information Management directory </title>
<Link rel = "stylesheet" href = "style.css" type = "text/css">
<Head>

<SCRIPT language = "javascript1.2">
Function showsubmenu (sid)
{
WhichEl = eval ("submenu" + sid );
If (whichEl. style. display = "none ")
{
Eval ("submenu" + sid + ". style. display = "";");
}
Else
{
Eval ("submenu" + sid + ". style. display =" none ";");
}
}
</SCRIPT>
</Head>
<BODY bgcolor = "#799AE1" leftmargin = "0" topmargin = "0">
<Div align = center>
<Table width = "158" cellpadding = "0" cellspacing = "0" border = "0">
<Tr>
<Td valign = "top">
<Table cellpadding = "0" cellspacing = "0" width = "158">
<Tr>
<Td height = "42" valign = "bottom">

</Td>
</Tr>
</Table>
<Table cellpadding = "0" cellspacing = "0" width = "158" align = "center">
<Tr>
<Td height = "25" class = "menu_title" onMouseOver = "this. className = menu_title2 ;"

OnMouseOut = "this. className = menu_title;" background = "images/title_bg_quit.gif">
<Div align = "left"> & nbsp; <a href = "list. asp "target =" mainFrame "> <B> Management homepage </B> </a>
| <A href = "loginout. asp" target = "_ top"> <B> exit </B> </a> </div>
</Td>
</Tr>
</Table>
& Nbsp;
<%
// Manage the menu
Call showMenu ()
%>
</Td>
</Tr>
</Table>
<P> </div>
</BODY>
</Html>
========================================================== ========================================================== =

#1.3 wwwroot/admin/dir. inc. asp

<Meta HTTP-EQUIV = "Content-Type" CONTENT = "text/html; charset = gb2312">
<%
// Predefined
Dim menu (3,9), j, tmpmenu, menuname, menurl

Menu (0, 0) = "Information Management"
Menu (0, 1) = "<a href = ArticleAddSelClass. asp target = mainFrame> Publish information </a> | <

Href = ArticleModSelClass. asp target = mainFrame> modify Information </a>"
Menu () = "<a href = SearchArticle. asp target = mainFrame> search information </a> | <a href = TjArticle. asp

Target = mainFrame> recommendation Information </a>"

Menu () = "FSO generate htm"
Menu () = "<a href = QtMake. asp target = mainFrame> Generate foreground files </a>"
Menu (1, 2) = "<a href = HtmlMake. asp target = mainFrame> regenerate htm in batches </a>"

 

Menu (2, 0) = "Integrated Management"
Menu (2, 1) = "<a href = ClassManage. asp target = mainFrame> category management </a> & nbsp; | & nbsp; <a href = SuperUser. asp

Target = mainFrame> User management </a>"
Menu (2, 2) = "<a href = SpaceSize. asp target = mainFrame> space usage </a> & nbsp; | & nbsp; <a href = SysSet. asp

Target = mainFrame> system Settings </a>"
Menu (2, 3) = "<a href = DataManage. asp target = mainFrame> database maintenance </a> | & nbsp; <a href = moban. asp

Target = mainFrame> template management </a>"

Menu (3, 0) = "copyright information"
Menu (3, 1) = "<font face = Arial, Helvetica, sans-serif> <B> current version: </font> </B> V1.7"
Menu () = "<a href = http://www.strongfire.cn target = _ blank> <font face = Arial, Helvetica, sans-serif> <B>

Fire Fighting studio </B> </font> </a>"
Menu (3, 3) = "<font face = Arial, Helvetica, sans-serif> website customization, static processing"
Menu (839225572) = "<font face = Arial, Helvetica, sans-serif> QQ: (Firebird )"
Sub showMenu ()
D