图像

SQL Injection,CSS attacks, Script attacks in Java or J2ee web applications

To Prevent SQL Injection,CSS attacks, Script attackes in Java J2ee based web applicataions we had to add filter which
will inspect each and every field that is submitted to the application.
But be careful as some times this filter may change the values of some inputs.
Eg: In our test app when we added this filter all quotes like say for name was replacye by html equivalent.
The reason is there can be some fields like name say Ram’S (with an apostrophe).The apsotrophe here would be replaced
with its html Equivalent.So one way is not allow user to enter (by haveing validation in UI) or
if you still need to allow then exclude that field from filter. Continue reading

大汉版通JCMS数据库配置文件读取漏洞

大汉版通JCMS内容管理系统

大汉版通JCMS内容管理系统是基于J2EE构架设计的内容管理系统,多用于政府门户网站。

该漏洞是由于读取xml文件时没有对传进的参数进行过滤,flowcode参数可控,配置文件地址WEB-INF/config/dbconfig.xml,由于控制了文件后缀,只能读取xml文件
Continue reading