L-deficiencies in the Blog Cross-Site vulnerability patch file

A few days ago, l-blog encountered a Cross-Site vulnerability. For details, see
Asp? LogID = 317 "target = _ blank> http://www.ciker.org/blogview.asp? LogID = 317
Not discussed in this article... although the vulnerability is not very harmful .. but after all, it is somewhat affected... the Administrator is always worried about whether cookies will be stolen .. after a vulnerability exists .. I found it in the background... badwolf, a brother of Heiji, is trying to steal cookies from our factory .. I changed the password .. haha

Then, at night, the Administrator station will be able to fix the vulnerability. For details, see.
Http://www.loveyuki.com/blogview.asp? LogID = 987
For security .. I got another one .. the three files are admincp. functions under asp and include. asp and ubbcode. asp... after overwriting the original file .. try again .. no .. so I breathed a sigh of relief ....... this is the problem .. in the past few days, I have found that all the comments in my blog are
No comment, just reference
So... start with .. I thought a friend did not care about what he intentionally left .. today I found several other things like this .. later, when my sister-in-law came to my BLOG to post comments, he also found that he could not comment... I found the problem ..




When a new log is published, some problems are also found during file upload.
After an image is selected for upload, a message indicating that the upload is successful is returned.
[Img] attachments/month_0505/2005-05-28 23: 15pmes_pinglun.jpg [/img]

Khan. the file name is changed to 23: 15pmes_pinglun.jpg... but this file does not exist during access .. the same is true for FTP .. this means that the file has not been uploaded successfully ..... I am skeptical about the vulnerability fixing mentality again ....

No way... I only studied it myself .. unfortunately, I do not know ASP... fortunately, there are not many files .. only three .. it won't take long to read all the code .. later, after comparing the original code with the vulnerability fix released by the console .. .. the file that plays a major role is also function. asp ..

The admincp. asp file code has not been changed much... a problem was found at a glance.
<% On Error Resume Next %>
& Lt; % On Error Resume Next % & gt; ah... here there is another .... I don't know if it will affect code running .... depressing... not to mention this for the moment .. continue the following ,.,

Ubbcode. asp: the file size is 8 KB, and the original file size is 11 kb... I don't know if this is changed? The code is naturally less than the original one...

Then the function. asp file... function is the function meaning... it looks like this is the main ..
Analyzed... found .. the vulnerability fix code and the original code have only a few changes .. the code that plays a major role in Cross-Site Vulnerabilities
Function CheckLinkStr (Str)
Str = Replace (Str, "events. cookie ",".")
Str = Replace (Str, "document. write ",".")
Str = Replace (Str, "reverse CR & #105; pt:", "reverse CR & #105; pt ")
Str = Replace (Str, "vbscr & #105; pt:", "vbscr & #105; pt ")
Str = Replace (Str, "reverse CR & #105; pt:", "reverse CR & #105; pt ")
Str = Replace (Str, "vbscr & #105; pt:", "vbscr & #105; pt ")
Str = Replace (Str, "[", "& #91 ;")
Str = Replace (Str, "]", "& #93 ;")
Str = Replace (Str, "& lt;", "& #60 ;")
Str = Replace (Str, "& gt;", "& #62 ;")
Str = Replace (Str, "{", "& #123 ;")
Str = Replace (Str, "}", "& #125 ;")
Str = Replace (Str, "|", "& #124 ;")
Str = Replace (Str, "scr & #105; pt", "& #115; success ")
Str = Replace (Str, "SCRIPT", "& #083; success ")
Str = Replace (Str, "Script", "& #083; success ")
Str = Replace (Str, "scr & #105; pt", "& #083; success ")
Str = Replace (Str, "object", "& #111; bject ")
Str = Replace (Str, "OBJECT", "& #079; BJECT ")
Str = Replace (Str, "Object", "& #079; bject ")
Str = Replace (Str, "object", "& #079; bject ")
Str = Replace (Str, "applet", "& #097; pplet ")
Str = Replace (Str, "APPLET", "& #065; PPLET ")
Str = Replace (Str, "Applet", "& #065; pplet ")
Str = Replace (Str, "applet", "& #065; pplet ")
Str = Replace (Str, "embed", "& #101; mbed ")
Str = Replace (Str, "EMBED", "& #069; MBED ")
Str = Replace (Str, "Embed", "& #069; mbed ")
Str = Replace (Str, "embed", "& #069; mbed ")
Str = Replace (Str, "document", "& #100; ocument ")
Str = Replace (Str, "DOCUMENT", "& #068; OCUMENT ")
Str = Replace (Str, "Document", "& #068; ocument ")
Str = Replace (Str, "document", "& #068; ocument ")
Str = Replace (Str, "cookie", "& #099; ookie ")
Str = Replace (Str, "COOKIE", "& #067; OOKIE ")
Str = Replace (Str, "Cookie", "& #067; ookie ")
Str = Replace (Str, "cookie", "& #067; ookie ")
Str = Replace (Str, "event", "& #101; vent ")
Str = Replace (Str, "EVENT", "& #069; VENT ")
Str = Replace (Str, "Event", "& #069; vent ")
Str = Replace (Str, "event", "& #069; vent ")
CheckLinkStr = Str
End Function

Although I don't quite understand what it means... but it seems like this... after modification. debug locally .. successful... but the problem with the comment is still not solved... continue to read the code ....

We found that the repaired function. asp code was less than the original function. asp code... and began to speculate that it was the impact of this code ..
Middle Section
Function GeneratorNum (Length)
Dim I, tempS
TempS = "1234567890"
Generator = ""
If isNumeric (Length) = False Then
Exit Function
End If
For I = 1 to Length
Randomize
Generator = Generator & Mid (tempS, Int (Len (tempS) * Rnd) + 1), 1)
Next
End Function
And the last section
Function ChkBadWords (strContent)
Dim BadWord, aa
BadWord = split (BadWordsStr ,",")
For aa = 0 to ubound (BadWord)
StrContent = Replace (Lcase (strContent), Lcase (BadWord (aa), string (len (BadWord (aa )),"*"))
Next
ChkBadWords = strContent
End Function
% & Gt;


After being added to the file