L-Blog 最新日志留言漏洞的修正方法(危险指数:高)

2006-04-14 21:54:19

漏洞介绍: 现在说一下具体是什么漏洞,分两步: 打开一篇日志,在这篇日志里留言 1、首先打上这样一句话 如果发现页面直接跳转到http://www.lccy163.com这就说明 日志留言有漏洞。 2、把上面的那句留言改成这句,再看看吧。 我简单测试了几个L-blog,包括老大的博客Loveyuki 's BLOG 只要是L-blog的版本都存在此漏洞。 修正方法: 打开include/ubbcode.asp文件,找到代码 [code] Function CheckLinkStr(Str) Str = Replace(Str, "document.cookie", ".") Str = Replace(Str, "document.write", ".") Str = Replace(Str, "javascript:", "javascript ") Str = Replace(Str, "vbscript:", "vbscript ") Str = Replace(Str, "javascript :", "javascript ") Str = Replace(Str, "vbscript :", "vbscript ") Str = Replace(Str, "[", "&#91;") Str = Replace(Str, "]", "&#93;") Str = Replace(Str, "<", "&#60;") Str = Replace(Str, ">", "&#62;") Str = Replace(Str, "{", "&#123;") Str = Replace(Str, "}", "&#125;") Str = Replace(Str, "|", "&#124;") Str = Replace(Str, "script", "&#115;cript") Str = Replace(Str, "SCRIPT", "&#083;CRIPT") Str = Replace(Str, "Script", "&#083;cript") Str = Replace(Str, "script", "&#083;cript") Str = Replace(Str, "object", "&#111;bject") Str = Replace(Str, "OBJECT", "&#079;BJECT") Str = Replace(Str, "Object", "&#079;bject") Str = Replace(Str, "object", "&#079;bject") Str = Replace(Str, "applet", "&#097;pplet") Str = Replace(Str, "APPLET", "&#065;PPLET") Str = Replace(Str, "Applet", "&#065;pplet") Str = Replace(Str, "applet", "&#065;pplet") Str = Replace(Str, "embed", "&#101;mbed") Str = Replace(Str, "EMBED", "&#069;MBED") Str = Replace(Str, "Embed", "&#069;mbed") Str = Replace(Str, "embed", "&#069;mbed") Str = Replace(Str, "document", "&#100;ocument") Str = Replace(Str, "DOCUMENT", "&#068;OCUMENT") Str = Replace(Str, "Document", "&#068;ocument") Str = Replace(Str, "document", "&#068;ocument") Str = Replace(Str, "cookie", "&#099;ookie") Str = Replace(Str, "COOKIE", "&#067;OOKIE") Str = Replace(Str, "Cookie", "&#067;ookie") Str = Replace(Str, "cookie", "&#067;ookie") Str = Replace(Str, "event", "&#101;vent") Str = Replace(Str, "EVENT", "&#069;VENT") Str = Replace(Str, "Event", "&#069;vent") Str = Replace(Str, "event", "&#069;vent") CheckLinkStr = Str End Function[/code] 替换为 [code] Function CheckLinkStr(Str) If Len(Str) > 0 Then Str = Replace(Str, "document.cookie", ".",1,-1,1) Str = Replace(Str, "document.write", ".",1,-1,1) Str = Replace(Str, "javascript:", "javascript ",1,-1,1) Str = Replace(Str, "vbscript:", "vbscript ",1,-1,1) Str = Replace(Str, "javascript :", "javascript ",1,-1,1) Str = Replace(Str, "vbscript :", "vbscript ",1,-1,1) Str = Replace(Str, "[", "&#91;",1,-1,1) Str = Replace(Str, "]", "&#93;",1,-1,1) Str = Replace(Str, "<", "&#60;",1,-1,1) Str = Replace(Str, ">", "&#62;",1,-1,1) Str = Replace(Str, "{", "&#123;",1,-1,1) Str = Replace(Str, "}", "&#125;",1,-1,1) Str = Replace(Str, "|", "&#124;",1,-1,1) Str = Replace(Str, "script", "&#115;cript",1,-1,1) Str = Replace(Str, "SCRIPT", "&#083;CRIPT",1,-1,1) Str = Replace(Str, "Script", "&#083;cript",1,-1,1) Str = Replace(Str, "script", "&#083;cript",1,-1,1) Str = Replace(Str, "object", "&#111;bject",1,-1,1) Str = Replace(Str, "OBJECT", "&#079;BJECT",1,-1,1) Str = Replace(Str, "Object", "&#079;bject",1,-1,1) Str = Replace(Str, "object", "&#079;bject",1,-1,1) Str = Replace(Str, "applet", "&#097;pplet",1,-1,1) Str = Replace(Str, "APPLET", "&#065;PPLET",1,-1,1) Str = Replace(Str, "Applet", "&#065;pplet",1,-1,1) Str = Replace(Str, "applet", "&#065;pplet",1,-1,1) Str = Replace(Str, "embed", "&#101;mbed",1,-1,1) Str = Replace(Str, "EMBED", "&#069;MBED",1,-1,1) Str = Replace(Str, "Embed", "&#069;mbed",1,-1,1) Str = Replace(Str, "embed", "&#069;mbed",1,-1,1) Str = Replace(Str, "document", "&#100;ocument",1,-1,1) Str = Replace(Str, "DOCUMENT", "&#068;OCUMENT",1,-1,1) Str = Replace(Str, "Document", "&#068;ocument",1,-1,1) Str = Replace(Str, "document", "&#068;ocument",1,-1,1) Str = Replace(Str, "cookie", "&#099;ookie",1,-1,1) Str = Replace(Str, "COOKIE", "&#067;OOKIE",1,-1,1) Str = Replace(Str, "Cookie", "&#067;ookie",1,-1,1) Str = Replace(Str, "cookie", "&#067;ookie",1,-1,1) Str = Replace(Str, "event", "&#101;vent",1,-1,1) Str = Replace(Str, "EVENT", "&#069;VENT",1,-1,1) Str = Replace(Str, "Event", "&#069;vent",1,-1,1) Str = Replace(Str, "event", "&#069;vent",1,-1,1) End if CheckLinkStr = Str End Function[/code] 小说明 Str = Replace(Str, "document.cookie") 改成 Str = Replace(Str, "document.cookie", ".",1,-1,1) Replace 函数的最后一个参数 1 指定文本比较方式(默认为二进制比较)。文本比较的话,Abc=ABC,二进制比较则不等。 这样处理后,不管你输入 javascript 还是 javascripT 或 JaVASCript,replace 都能给处理掉。