Title: DotText Cross-Site Scripting Vulnerability

Author: lake2, http://lake2.0x54.org

Bugtraq ID:  13450

Published: Apr 30 2005 12:00AM

Description:

      DotText is an open source weblog system started by Scott Watermasysk with ASP.NET. Some weblog system is base on dottext. You can download it in http://www.gotdotnet.com/Community/Workspaces/workspace.aspx?id=e99fccb3-1a8c-42b5-90ee-348f6b77c407

Where is the bug ?

Referrers.aspx.cs

---------------

if (dataContainer is Referrer)
{
 Referrer referrer = (Referrer) dataContainer;
 return "<a href=\"" + referrer.ReferrerURL + "\" target=\"_new\">" + referrer.ReferrerURL.Substring(0,referrer.ReferrerURL.Length > 50 ? 50 : referrer.ReferrerURL.Length) + "</a>";
}

---------------

The showed referer isn't encoded with htmlencode , a attacker can construct a referer like as http://X/<script>alert('China')</script> to perform a cross site scripting attack if the blog system isn't disable referer show.

PS:  CSDN Blog was base on GotDotNet DotText 0.95 ,  but now it is CSDN & Donews 0.99 , no referer :)

发表于 @ 2005年12月15日 22:34:00|评论(loading...)|编辑