Resolve PJBlog3 V3.2 Blog to fix a bug with a malicious registration problem

The day before yesterday found that the number of blog members increased a lot, checked, many of them are malicious registered users and has lasted for several months:





Search the IIS log to find the corresponding post information:

Reference content

2014-12-18 07:29:05 w3svc179938905 42.121.105.222 post/register.asp-80-178.43.73.53 mozilla/5.0+ (Windows+NT+6.1) + applewebkit/537.36+ (khtml,+like+gecko) +chrome/27.0.1453.116+safari/537.36 404 0 2

This means that malicious registration is done by submitting a form, will the verification code be cracked? Clean up the malicious record, the verification code has been upgraded, but yesterday to see malicious registration continues, will not be a digital verification code too easy to crack? Upgrade again in Chinese verification code, today view malicious registration is still in progress

Modify the Register.asp file, save the registration data, and get the following information:

Username=ldoo88w6j&password=qwedsa&confirmpassword=qwedsa&gender=0&email=&hiddenemail=1 &homepage=http%3a%2f%2fcompresseibrig.eu&validate=&action=save&submit2=%e6%b3%a8%e5%86%8c%e6% 96%b0%e7%94%a8%e6%88%b7

Can I register an empty authentication code? Tried on the page, no, but put in the Fiddler2 submitted but registered successful, why? Open Register.asp to see the relevant procedures:

The code is as follows	Copy Code
If CStr (LCase ("GetCode")) <>cstr (LCase (validate)) Then Reinfo (0) = "error Message" Reinfo (1) = "<b> Verification code is incorrect, please return to re-enter </b><br/><a href=" "Javascript:history.go (-1);" " > Click Back </a> " Reinfo (2) = "Erroricon" Register = Reinfo Exit Function End If

Okay, here's a bug:

when submitting with a Third-party program, the value of the common/getcode.asp session ("GetCode") is not invoked, so the null authentication code can also be registered.

Workaround: Open the Register.asp file and modify the program as follows (166 lines):

The code is as follows	Copy Code
If CStr (LCase ("GetCode")) <>cstr (LCase (Validate)) Or session ("GetCode") = "" Then Reinfo (0) = "error Message" Reinfo (1) = "<b> Verification code is incorrect, please return to re-enter </b><br/><a href=" "Javascript:history.go (-1);" " > Click Back </a> " Reinfo (2) = "Erroricon" Register = Reinfo Exit Function End If

OK, problem solved.

PostScript: Online search for the next, the Recruit not only my blog: