HdWiki跨站漏洞暂时修复办法[20090505]

目前只是发现搜索框,词条名称那里提交的内容没有被过滤,可导致跨站攻击,只是这样的攻击一般都比较容易发现,不是大站或者安全类的站的话,影响不是很大。
不过还是写下暂时修复办法:
打开“/control/search.php”
对提交的内容进行转义(HDwiki群Terry提供)

$searchtext=stripslashes($element['searchtype']==
"tag"?"TAG:".stripslashes($element['keyword']):
stripslashes($element['keyword']));
$this->view->assign('categorylist',$categorylist);
$this->view->assign("searchtext",htmlspecialchars($searchtext));
$this->view->assign("list",$list);
$this->view->assign('navtitle',$this->view->lang['search'].'-'.string::substring(htmlspecialchars((($element['keyword']))),0,20));

同样在doc.php中

$title=string::substring(string::stripscript($_ENV['doc']->
htmlspecialchars(replace_danger_word(trim($this->post['title'])))),0,80);

另外发现在默认输入“词条名”选择进入词条时,的title变量只是经过简单的去掉头尾空格,然后就给sql语句使用啦,只是HDwiki在使用的时候做啦特殊”调用“(下午去杀毒啦,到现在还没坐下来仔细研究..)

$title=trim($this->post['searchtext']);
...
$sql="select d.did,d.tag,d.title,d.author,d.authorid,d.time,d.summary from wiki_doc d where d.title LIKE '%$title%' order by d.time desc";

Leave a Reply

Your email address will not be published. Required fields are marked *