Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62201443807
HistoryMar 31, 2014 - 12:00 a.m.

Web message boards of the Big Three dangerous vulnerability-a vulnerability warning-the black bar safety net

2014-03-3100:00:00
佚名
www.myhack58.com
6
JSON

Message boards as a web page with the viewer interactive media and popular,in a variety of large and small site almost always has its shadow,so the message Board is now the site of a key protagonist,so its safe not not seriously considered,now listed in the guestbook when making the three big risks:

Danger one:wrong message data to be encoded is converted and output directly

No message data is encoded in the conversion,means that allows the user to build an HTML file,if the user in the message Board on the Enter the following loop statement<script>for(i=1;i>0;i++){ alert(i)}</script>that will cause the page is unavailable,it is necessary for the message data to HTML code conversion,in asp with server. HTMLEncode(),the php with htmlspecialchars()

Danger two:don’t limit message The number of words

Now there are a lot of CMS website management system,eliminating the need to manually build the station’s many troubles,the authors found that some CMS although the CAPTCHA,UBB readily available,but on the Message Board of the message word is not limiting,and the message data are generally through the POST method to GET,POST method and some servers by default can receive the data size is 2G,if just a small 1G or so of server space, then such consequences will be dire

Solution:on the client side with the javascript substring()method,the server side of the asp can use the mid()method for a comment word limit

Danger three:store message data capacity is not restricted

As the message volume increases,the server will FREE Up more space to store,this will cause endless waste.

We have to on each page of the message limits the amount,limits per page can only be stored for how many KB of message data,if you exceed the necessary to delete some old message data

In asp using the filesystemobject object can access the stored message of the size of the database

Message boards the production of the three critical vulnerabilities are hoping to attract attention and take appropriate safety measures.

JSON