老Y2.4会员系统有漏洞,请及时修复

2009年8月14日16:47:36 发表评论
摘要

老Y2.4会员系统有漏洞,请及时修复官方补丁包下载地址:http://www.laoy8.cn/down/8.14.rar使用老Y系统的用户可能已经发现,在后台,官方在今天下午13点发布了UserAdd.asp这个文件的漏洞,比较了一下,其中,修改了以下这些代码:currentPage=LaoYRequest(request(page))A_Class=LaoYRequest(request(Class))hits=LaoYRequest(request(hits))修改为:currentPag

老Y2.4会员系统有漏洞,请及时修复


官方补丁包下载地址:http://www.laoy8.cn/down/8.14.rar


使用老Y系统的用户可能已经发现,在后台,官方在今天下午13点发布了UserAdd.asp这个文件的漏洞,比较了一下,其中,修改了以下这些代码:


currentPage=LaoYRequest(request("page"))
 A_Class=LaoYRequest(request("Class"))
 hits=LaoYRequest(request("hits"))


修改为:


currentPage=request("page")
 A_Class=request("Class")
 hits=request("hits")


 



keyword=CheckStr(request("keyword"))


修改为:


keyword=trim(request("keyword"))


 


ClassID = LaoYRequest(request.form("ClassID"))


修改为:


ClassID = trim(request.form("ClassID"))



myyn = LaoYRequest(request.form("myyn"))
 mycode = LaoYRequest(request.form("code"))


修改为:


myyn = request.form("myyn")
 mycode = trim(request.form("code"))



id=LaoYRequest(request("id"))


修改为:


id=CheckStr(request("id"))


 



ID =   LaoYRequest(trim(request.form("ID")))
 Title =  LoseHtml(trim(request.form("Title")))
 ClassID =  LaoYRequest(trim(request.form("ClassID")))
 CopyFrom =  LoseHtml(trim(request.form("CopyFrom")))
 Author =  LoseHtml(trim(request.form("Author")))
 Content =  request.form("Content")
 myyn =   LaoYRequest(request.form("myyn"))


修改为:



ID =   CheckStr(trim(request.form("ID")))
 Title =  LoseHtml(trim(request.form("Title")))
 ClassID =  CheckStr(trim(request.form("ClassID")))
 CopyFrom =  LoseHtml(trim(request.form("CopyFrom")))
 Author =  LoseHtml(trim(request.form("Author")))
 Content =  request.form("Content")
 myyn =   CheckStr(request.form("myyn"))


 


 


Sex =   LaoYRequest(request.form("UserSex"))
Email =  CheckStr(trim(request.form("UserEmail")))
QQ =   LaoYRequest(trim(request.form("UserQQ")))


修改为:


Sex =   CheckStr(request.form("UserSex"))
Email =  CheckStr(trim(request.form("UserEmail")))
QQ =   CheckStr(trim(request.form("UserQQ")))


 



id=LaoYRequest(request("id"))


修改为:


id=request("id")

avatar

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: