????? ?????? ??? ASP ????? ??????? CSSI

???? ???????: 253119 - ??? ???????? ???? ????? ????? ??? ???????.
????? ???????? ????? ????? ??????? ?????? ?????? ???????
????? ???? | ?? ????

??????

???? ??? ??????? ????? ????? ?????????? ?????? ????? ?????? ?????? (ASP) ???? ???? ??? ??????? ??????? ?????? ??????? (CSSI). ???? ??????? ?????? ?????? ?? ??? ?? ?????? ??? ???? ???? ??????? ???? ??? ?? ??????? ????? ??.
???? ??? ?????? | ????? ???????

??????? ????

?????? ??????? ??????? ?? ?????? ??????? ASP ???? CSSI ????????:
  1. ???? ?? ????????? ???????? ?? ASP ???? HTML ?????. ???? ASP HTML ??? ??????? ????????: 
    Response.Write
    - ? - 
    <% =
  2. ????? ?? ??? ??? ????? ??????? HTML ?????? ???????. ???? ?? ???? ??? ???????? ?? ????? ??????. ????? ??????? ??????? ????? ??????? ???????:

    ?? ??? ??????????? ??? ??????
    ???? ??????????? ????? ?????? ??? ASP
    ?????? Request.Form
    Response.Write Request.Form("username")
    ?????? Request.QueryString
    <%=Request.QueryString("username")%>
									
    Response.Write Request.QueryString("username")
									
    <a href="http://mysite/showuser.asp?username=<% = 
Request.QueryString("username") %>">mypage</a>
									
    <a href="http://mysite/mypage.asp"><%=Request.QueryString("url")%></a>
    ??? ????
    Response.Write("username")
    ????? ???????? / ?????? ?????? ??? ????????
    Do While Not rst.EOF
	Response.Write rst("myfield") & "<br>"
	rst.MoveNext
Loop
    ?????? ????? ????? ????????
    Response.Write Request.Cookie("username")
    ???? ????? "?" ??????? ???????
    Response.Write Session("username")
  3. ??? ????? ?? ????????? ???????? ?? ASP ???? HTML ???????? ??? ??????? ????? ??? ????? ???? ????? ????. ????? ???? ????? ??? ???????? ?????? ???????? ?? ??? CSSI ????.

    ?????? ?????? ??? ??? ??????? ?? ????? ??? ????? ?????? ?????? ??? ?????? ?? ?????? ???? ??????? ??????? ???? ???? ????. ??? ?? ????? ???????? ?????? ?? ????? ??? ??????? ?????? ???? ????? ???? ???????? ??????? ???? ????? (?????? ??????). ?? ?????? ?????? ????? ISO 8859-1, ??? ??????? ????????? ?? ????????? ??????? ?? HTML ? HTTP. ??? ?? ???? ??? ???? ??????? ?????? ??? ????? ??? ????????.
    • ??????? ??????? HTMLEncode ????? ?????? ??????? ????? ????? ?????.

      ???? ???? ???? ??? ??????? CSSI ???? ?????? ???????? HTMLEncode ??? ?????? ???????. ???????? ???? HTMLEncode ???????? ?????? ???? ??? ??????? ???? ?? ??????? HTML ??? HTML ???? ???? ??? ?????? (??? ???? ??????? = & ? "="). ?????? ?????? ????? ??? ???????? ??? ???? ????? ? ????? ?????? ??.
      <% Response.Write("Hello visitor <I>" +
      Server.HTMLEncode(Request.Form("UserName")) +
      "</I>");
%>
    • ???? ??????? HTTP_REFERER ?????? ?????? ???? ????? ????? ???.

      ????? HTTP_REFERER ????? ???? ????? URL ??? ?????? ??? ????? ????? ???. ???? ??? ?????? ??? ???? ??? ?????? ??? ?????? ???? ????? ????? ?? ??? ??? ?? ???? ?? ?????? ??????. ????? ?????? ?? HTTP_REFERER ???????? ???????: 
         <%
   If (Request.ServerVariables("HTTP_REFERER") = "") Or _
      (Left(Request.ServerVariables("HTTP_REFERER"),42) <> _
      "http://www.myserver.com/AppDir/mainfrm.asp") Then
      Response.Redirect "http://www.myserver.com/AppDir/mainfrm.asp"
   End If
   %>
      ??????: ????? ??? ?????? ??? ??????:
      • ?????? ??? ?????? ????? ??????? ?????.
      • ?? ???? ???????? ?? ???? ???????? ?? ??????? ???????? ???? ?? ????? ???? ???? ?????????.
      • ?? ?????????? ???? ????? ?????? ?? ??? ??? ????? ??? HTTPS.
    • ??????? URLEncode ?????? ?????? URL ???? ??? ?????? ??????? ???????.

      ??? ????? ??????? URLEncode URL ????? ????? ??? ?? ??? ???? ?????? ??? ????? ?????. ??? ????? URLs ??????? ??? ?????. ????? ??? ????? URLEncode: 
      <%
      var BaseURL = http://www.mysite.com/search2.asp?searchagain=;
      Response.write("<a href=\"" + BaseUrl +
      Server.URLEncode(Request.QueryString("SearchString")) +
      "\">click-me</a>");
%>
    • ????? ?? ????? ?????? ?????? ?? ?????? ???????. ????? ?????? ?????? ???????: 
      < > " ' % ; ) ( & +
      ????? ????? ?? ????? ?????? ??? ????? ??? ?? ?? ??? ??? ??? ??? ???????? ???????? ??? ??????? ????? ??.

      ?????? ??? ??????? JavaScript ?????? ???? ????: 
      function RemoveBad(strTemp) { 
	strTemp = strTemp.replace(/\<|\>|\"|\'|\%|\;|\(|\)|\&|\+|\-/g,""); 
return strTemp;
}
      ?????? ??? ??????? ????????? ??????? ??????? 5.0 Visual Basic Scripting Edition ?????? ???? ????: 
      Function ValidateTags(QueryString)
	Dim o
	Set o = CreateObject("VBScript.RegExp") ' -> VB Script 5.0

	Dim sBad

	sBad = "(<\s*(script|object|applet|embed|form)\s*>)"   ' <  script xxx >
	sbad = sbad & "|" & "(<.*>)"
             ' >xxxxx<  warning includes hyperlinks and stuff between > and <
	sbad = sbad & "|" & "(&.{1,5};)"   ' &xxxx;
	sbad = sbad & "|" & "eval\s*\("    ' eval  ( 
 	sbad = sbad & "|" & "(event\s*=)"  ' event  =
	
	'Now lets check for encoding
	sbad = Replace(sbad,"<", "(<|%60|<)")
	sbad = Replace(sbad,">", "(>|%62|>)")
	
	o.IgnoreCase = True 'ignore case of string
	o.Global =False 'stop on first hit

	o.Pattern = sBad

	ValidateTags = o.Test(QueryString)

	Set o = Nothing
End Function
???? ??? ?????? | ????? ???????

?????

????? ?? ?????????? ???? ??????? ??????? ?? ????????? ??????? ??????? ?????? (CERT) ?? ????? Mellon ????:
http://www.cert.org/advisories/CA-2000-02.html
(http://www.cert.org/advisories/CA-2000-02.html)
?????? ??? ??????? ??????? ???? ??? ???? ????????? ????????? ??????? ?? "????? ??????? ?? Microsoft:
252985
(http://support.microsoft.com/kb/252985/EN-US/ )
????? ??? ????? ?????? ??????? ???? ??? ?? ??????? ???
253121
(http://support.microsoft.com/kb/253121/EN-US/ )
????? ?????? ??? MTS/ASP ????? ??????? CSSI
253120
(http://support.microsoft.com/kb/253120/EN-US/ )
????? ?????? InterDev Visual ???? ??? ????? ??? ????? CSSI
253117
(http://support.microsoft.com/kb/253117/EN-US/ )
????? ??? ????? ??? ????? CSSI Internet Explorer ? Outlook Express
???? Microsoft ??????? ??? ??????? ?????? ????? ???? ???????? ?? ?????? ??? ????? ??????. ?? ??? ????? ??????? ??? ??????? ??? ???? ?????. ??? ???? Microsoft ??? ??? ????????? ???? ???????.
???? ??? ?????? | ????? ???????

???????

???? ???????: 253119 - ????? ??? ??????: 02/????? ???????/1426 - ??????: 1.3
????? ???
  • Microsoft Active Server Pages 4.0
????? ??????: 
kbmt kbcodesnippet kbcssi kbhowto kbsecurity kbsecvulnerability KB253119 KbMtar
????? ????
???: ??? ????? ??? ?????? ???????? ?????? ????? ???? ????? ?????????? ????? ?? ????????? ?????? ????. ???? ???? ?????????? ???? ?? ???????? ???????? ?????? ????????? ????? ????????? ???????? ????? ???????? ?????? ?? ?????? ??? ?? ???????? ???????? ?? ????? ??????? ?????? ??? ??????? ?????? ??. ?????? ?? ???? ??? ??????? ???????? ????? ?? ???? ????? ?????? ??? ????? ??? ????? ??????? ?? ????? ?? ?????? ??? ??? ??????? ??????? ?? ????? ????? ????? ????? ?????. ?? ????? ???? ?????????? ??????? ??? ????? ?? ??????? ?? ????? ?????? ?? ??? ????? ?? ????? ??????? ?? ???????? ?? ??? ???????. ???? ???? ?????????? ???????? ??? ????? ?????? ??????? ??????
???? ??? ????? ??????? ?????? ??????????253119
(http://support.microsoft.com/kb/253119/en-us/ )
????? ??????? ?? ????? ???? ?? ????? ???????
?? ????? ????? ?????? ???? ???? ???? ??? ??????? ??? ?? ? ?? ??? ??????? Microsoft ??? ????? ??? ??????? ????? ?????? ?????
???? ??? ?????? | ????? ???????

????? ???????

 
???? ??? ?????????? ??? ??????