老Y2.4会员系统有漏洞，请及时修复

老Y2.4会员系统有漏洞，请及时修复

官方补丁包下载地址：http://www.laoy8.cn/down/8.14.rar

使用老Y系统的用户可能已经发现，在后台，官方在今天下午13点发布了UserAdd.asp这个文件的漏洞，比较了一下，其中，修改了以下这些代码：

currentPage=LaoYRequest(request(“page”))
 A_Class=LaoYRequest(request(“Class”))
 hits=LaoYRequest(request(“hits”))

修改为：

currentPage=request(“page”)
 A_Class=request(“Class”)
 hits=request(“hits”)

 

keyword=CheckStr(request(“keyword”))

修改为：

keyword=trim(request(“keyword”))

 

ClassID = LaoYRequest(request.form(“ClassID”))

修改为：

ClassID = trim(request.form(“ClassID”))

myyn = LaoYRequest(request.form(“myyn”))
 mycode = LaoYRequest(request.form(“code”))

修改为：

myyn = request.form(“myyn”)
 mycode = trim(request.form(“code”))

id=LaoYRequest(request(“id”))

修改为：

id=CheckStr(request(“id”))

 

ID =   LaoYRequest(trim(request.form(“ID”)))
 Title =  LoseHtml(trim(request.form(“Title”)))
 ClassID =  LaoYRequest(trim(request.form(“ClassID”)))
 CopyFrom =  LoseHtml(trim(request.form(“CopyFrom”)))
 Author =  LoseHtml(trim(request.form(“Author”)))
 Content =  request.form(“Content”)
 myyn =   LaoYRequest(request.form(“myyn”))

修改为：

ID =   CheckStr(trim(request.form(“ID”)))
 Title =  LoseHtml(trim(request.form(“Title”)))
 ClassID =  CheckStr(trim(request.form(“ClassID”)))
 CopyFrom =  LoseHtml(trim(request.form(“CopyFrom”)))
 Author =  LoseHtml(trim(request.form(“Author”)))
 Content =  request.form(“Content”)
 myyn =   CheckStr(request.form(“myyn”))

 

 

Sex =   LaoYRequest(request.form(“UserSex”))
Email =  CheckStr(trim(request.form(“UserEmail”)))
QQ =   LaoYRequest(trim(request.form(“UserQQ”)))

修改为：

Sex =   CheckStr(request.form(“UserSex”))
Email =  CheckStr(trim(request.form(“UserEmail”)))
QQ =   CheckStr(trim(request.form(“UserQQ”)))

 

id=LaoYRequest(request(“id”))

修改为：

id=request(“id”)