| 标题 | The ucms1.4.7 has xss |
|---|
| 描述 | 1, steal user information, such as: login account, online banking account, etc
2. Use user identity to read, tamper, add, delete sensitive enterprise data, etc
3. Theft of important information of commercial value
4. Illegal money transfers
5. Force email
6, website hanging horse
7, control the victim machine to launch attacks on other websites
3. Prevent XSS solutions
The root cause of XSS is not fully filtering the data submitted by the client, so the focus is on filtering the information submitted by the user.
Mark important cookies as http only, so that the document.cookie statement in js cannot get cookies.
Only the user is allowed to enter the data we expect. For example, age Indicates the age of a user. Only digits are allowed. All characters other than digits are filtered out.
Perform Html Encode for data: When users submit data, they encode HTML, convert corresponding symbols into entity names, and then proceed to the next step.
Filter or remove special Html tags, such as <script>, <iframe>, < for <, > for >, "for"
Filter tags for js events. For example "onclick=", "onfocus" and so on. |
|---|
| 来源 | ⚠️ https://github.com/Num-Nine/CVE/issues/3 |
|---|
| 用户 | opopo3321 (UID 54028) |
|---|
| 提交 | 2023-09-06 05時39分 (3 年前) |
|---|
| 管理 | 2023-09-16 08時39分 (10 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 239856 [UCMS 1.4.7 ajax.php?do=strarraylist strdefault 跨网站脚本] |
|---|
| 积分 | 19 |
|---|