老Y2.4会员系统有漏洞,请及时修复

老Y2.4会员系统有漏洞,请及时修复


官方补丁包下载地址:http://www.laoy8.cn/down/8.14.rar


使用老Y系统的用户可能已经发现,在后台,官方在今天下午13点发布了UserAdd.asp这个文件的漏洞,比较了一下,其中,修改了以下这些代码:


currentPage=LaoYRequest(request(“page”))
 A_Class=LaoYRequest(request(“Class”))
 hits=LaoYRequest(request(“hits”))


修改为:


currentPage=request(“page”)
 A_Class=request(“Class”)
 hits=request(“hits”)


 



keyword=CheckStr(request(“keyword”))


修改为:


keyword=trim(request(“keyword”))


 


ClassID = LaoYRequest(request.form(“ClassID”))


修改为:


ClassID = trim(request.form(“ClassID”))



myyn = LaoYRequest(request.form(“myyn”))
 mycode = LaoYRequest(request.form(“code”))


修改为:


myyn = request.form(“myyn”)
 mycode = trim(request.form(“code”))



id=LaoYRequest(request(“id”))


修改为:


id=CheckStr(request(“id”))


 



ID =   LaoYRequest(trim(request.form(“ID”)))
 Title =  LoseHtml(trim(request.form(“Title”)))
 ClassID =  LaoYRequest(trim(request.form(“ClassID”)))
 CopyFrom =  LoseHtml(trim(request.form(“CopyFrom”)))
 Author =  LoseHtml(trim(request.form(“Author”)))
 Content =  request.form(“Content”)
 myyn =   LaoYRequest(request.form(“myyn”))


修改为:



ID =   CheckStr(trim(request.form(“ID”)))
 Title =  LoseHtml(trim(request.form(“Title”)))
 ClassID =  CheckStr(trim(request.form(“ClassID”)))
 CopyFrom =  LoseHtml(trim(request.form(“CopyFrom”)))
 Author =  LoseHtml(trim(request.form(“Author”)))
 Content =  request.form(“Content”)
 myyn =   CheckStr(request.form(“myyn”))


 


 


Sex =   LaoYRequest(request.form(“UserSex”))
Email =  CheckStr(trim(request.form(“UserEmail”)))
QQ =   LaoYRequest(trim(request.form(“UserQQ”)))


修改为:


Sex =   CheckStr(request.form(“UserSex”))
Email =  CheckStr(trim(request.form(“UserEmail”)))
QQ =   CheckStr(trim(request.form(“UserQQ”)))


 



id=LaoYRequest(request(“id”))


修改为:


id=request(“id”)

© 版权声明
THE END
喜欢就支持一下吧
点赞0 分享
评论 抢沙发
头像
欢迎您留下宝贵的见解!
提交
头像

昵称

取消
昵称表情代码图片

    暂无评论内容