????? ?????? ??? ASP ????? ??????? CSSI

?????? ????????? ?????? ?????????
???? ???????: 253119 - ??? ???????? ???? ????? ????? ??? ???????.
????? ???? | ?? ????

??????

???? ??? ??????? ????? ????? ?????????? ?????? ????? ?????? ?????? (ASP) ???? ???? ??? ??????? ??????? ?????? ??????? (CSSI). ???? ??????? ?????? ?????? ?? ??? ?? ?????? ??? ???? ???? ??????? ???? ??? ?? ??????? ????? ??.

??????? ????

?????? ??????? ??????? ?? ?????? ??????? ASP ???? CSSI ????????:
  1. ???? ?? ????????? ???????? ?? ASP ???? HTML ?????. ???? ASP HTML ??? ??????? ????????:
    Response.Write
    					
    - ? -
    <% =
    					
  2. ????? ?? ??? ??? ????? ??????? HTML ?????? ???????. ???? ?? ???? ??? ???????? ?? ????? ??????. ????? ??????? ??????? ????? ??????? ???????:

    ?? ??? ??????????? ??? ??????
    ???? ??????????? ????? ?????? ??? ASP
    ?????? Request.Form
    Response.Write Request.Form("username")
    									
    ?????? Request.QueryString
    <%=Request.QueryString("username")%>
    									
    Response.Write Request.QueryString("username")
    									
    <a href="http://mysite/showuser.asp?username=<% = 
    Request.QueryString("username") %>">mypage</a>
    									
    <a href="http://mysite/mypage.asp"><%=Request.QueryString("url")%></a>
    									
    ??? ????
    Response.Write("username")
    									
    ????? ???????? / ?????? ?????? ??? ????????
    Do While Not rst.EOF
    	Response.Write rst("myfield") & "<br>"
    	rst.MoveNext
    Loop
    									
    ?????? ????? ????? ????????
    Response.Write Request.Cookie("username")
    									
    ???? ????? "?" ??????? ???????
    Response.Write Session("username")
    									
  3. ??? ????? ?? ????????? ???????? ?? ASP ???? HTML ???????? ??? ??????? ????? ??? ????? ???? ????? ????. ????? ???? ????? ??? ???????? ?????? ???????? ?? ??? CSSI ????.

    ?????? ?????? ??? ??? ??????? ?? ????? ??? ????? ?????? ?????? ??? ?????? ?? ?????? ???? ??????? ??????? ???? ???? ????. ??? ?? ????? ???????? ?????? ?? ????? ??? ??????? ?????? ???? ????? ???? ???????? ??????? ???? ????? (?????? ??????). ?? ?????? ?????? ????? ISO 8859-1, ??? ??????? ????????? ?? ????????? ??????? ?? HTML ? HTTP. ??? ?? ???? ??? ???? ??????? ?????? ??? ????? ??? ????????.
    • ??????? ??????? HTMLEncode ????? ?????? ??????? ????? ????? ?????.

      ???? ???? ???? ??? ??????? CSSI ???? ?????? ???????? HTMLEncode ??? ?????? ???????. ???????? ???? HTMLEncode ???????? ?????? ???? ??? ??????? ???? ?? ??????? HTML ??? HTML ???? ???? ??? ?????? (??? ???? ??????? = & ? "="). ?????? ?????? ????? ??? ???????? ??? ???? ????? ? ????? ?????? ??.
      <% Response.Write("Hello visitor <I>" +
            Server.HTMLEncode(Request.Form("UserName")) +
            "</I>");
      %> 
      						
    • ???? ??????? HTTP_REFERER ?????? ?????? ???? ????? ????? ???.

      ????? HTTP_REFERER ????? ???? ????? URL ??? ?????? ??? ????? ????? ???. ???? ??? ?????? ??? ???? ??? ?????? ??? ?????? ???? ????? ????? ?? ??? ??? ?? ???? ?? ?????? ??????. ????? ?????? ?? HTTP_REFERER ???????? ???????:
         <%
         If (Request.ServerVariables("HTTP_REFERER") = "") Or _
            (Left(Request.ServerVariables("HTTP_REFERER"),42) <> _
            "http://www.myserver.com/AppDir/mainfrm.asp") Then
            Response.Redirect "http://www.myserver.com/AppDir/mainfrm.asp"
         End If
         %> 
      							
      ??????: ????? ??? ?????? ??? ??????:
      • ?????? ??? ?????? ????? ??????? ?????.
      • ?? ???? ???????? ?? ???? ???????? ?? ??????? ???????? ???? ?? ????? ???? ???? ?????????.
      • ?? ?????????? ???? ????? ?????? ?? ??? ??? ????? ??? HTTPS.
    • ??????? URLEncode ?????? ?????? URL ???? ??? ?????? ??????? ???????.

      ??? ????? ??????? URLEncode URL ????? ????? ??? ?? ??? ???? ?????? ??? ????? ?????. ??? ????? URLs ??????? ??? ?????. ????? ??? ????? URLEncode:
      <%
            var BaseURL = http://www.mysite.com/search2.asp?searchagain=;
            Response.write("<a href=\"" + BaseUrl +
            Server.URLEncode(Request.QueryString("SearchString")) +
            "\">click-me</a>");
      %>
      						
    • ????? ?? ????? ?????? ?????? ?? ?????? ???????. ????? ?????? ?????? ???????:
      < > " ' % ; ) ( & +
      							
      ????? ????? ?? ????? ?????? ??? ????? ??? ?? ?? ??? ??? ??? ??? ???????? ???????? ??? ??????? ????? ??.

      ?????? ??? ??????? JavaScript ?????? ???? ????:
      function RemoveBad(strTemp) { 
      	strTemp = strTemp.replace(/\<|\>|\"|\'|\%|\;|\(|\)|\&|\+|\-/g,""); 
      return strTemp;
      } 
      							
      ?????? ??? ??????? ????????? ??????? ??????? 5.0 Visual Basic Scripting Edition ?????? ???? ????:
      Function ValidateTags(QueryString)
      	Dim o
      	Set o = CreateObject("VBScript.RegExp") ' -> VB Script 5.0
      
      	Dim sBad
      
      	sBad = "(<\s*(script|object|applet|embed|form)\s*>)"   ' <  script xxx >
      	sbad = sbad & "|" & "(<.*>)"
                   ' >xxxxx<  warning includes hyperlinks and stuff between > and <
      	sbad = sbad & "|" & "(&.{1,5};)"   ' &xxxx;
      	sbad = sbad & "|" & "eval\s*\("    ' eval  ( 
       	sbad = sbad & "|" & "(event\s*=)"  ' event  =
      	
      	'Now lets check for encoding
      	sbad = Replace(sbad,"<", "(<|%60|<)")
      	sbad = Replace(sbad,">", "(>|%62|>)")
      	
      	o.IgnoreCase = True 'ignore case of string
      	o.Global =False 'stop on first hit
      
      	o.Pattern = sBad
      
      	ValidateTags = o.Test(QueryString)
      
      	Set o = Nothing
      End Function
      						

?????

????? ?? ?????????? ???? ??????? ??????? ?? ????????? ??????? ??????? ?????? (CERT) ?? ????? Mellon ????:
http://www.cert.org/advisories/CA-2000-02.html
?????? ??? ??????? ??????? ???? ??? ???? ????????? ????????? ??????? ?? "????? ??????? ?? Microsoft:
252985????? ??? ????? ?????? ??????? ???? ??? ?? ??????? ???
253121????? ?????? ??? MTS/ASP ????? ??????? CSSI
253120????? ?????? InterDev Visual ???? ??? ????? ??? ????? CSSI
253117????? ??? ????? ??? ????? CSSI Internet Explorer ? Outlook Express
???? Microsoft ??????? ??? ??????? ?????? ????? ???? ???????? ?? ?????? ??? ????? ??????. ?? ??? ????? ??????? ??? ??????? ??? ???? ?????. ??? ???? Microsoft ??? ??? ????????? ???? ???????.

???????

???? ???????: 253119 - ????? ??? ??????: 02/????? ???????/1426 - ??????: 1.3
????? ???
  • Microsoft Active Server Pages 4.0
????? ??????: 
kbmt kbcodesnippet kbcssi kbhowto kbsecurity kbsecvulnerability KB253119 KbMtar
????? ????
???: ??? ????? ??? ?????? ???????? ?????? ????? ???? ????? ?????????? ????? ?? ????????? ?????? ????. ???? ???? ?????????? ???? ?? ???????? ???????? ?????? ????????? ????? ????????? ???????? ????? ???????? ?????? ?? ?????? ??? ?? ???????? ???????? ?? ????? ??????? ?????? ??? ??????? ?????? ??. ?????? ?? ???? ??? ??????? ???????? ????? ?? ???? ????? ?????? ??? ????? ??? ????? ??????? ?? ????? ?? ?????? ??? ??? ??????? ??????? ?? ????? ????? ????? ????? ?????. ?? ????? ???? ?????????? ??????? ??? ????? ?? ??????? ?? ????? ?????? ?? ??? ????? ?? ????? ??????? ?? ???????? ?? ??? ???????. ???? ???? ?????????? ???????? ??? ????? ?????? ??????? ??????
???? ??? ????? ??????? ?????? ??????????253119
????? ??????? ?? ????? ???? ?? ????? ???????
?? ????? ????? ?????? ???? ???? ???? ??? ??????? ??? ?? ? ?? ??? ??????? Microsoft ??? ????? ??? ??????? ????? ?????? ?????

????? ???????

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com