标签:was ESS web app load php types ica dia cut
This script is possibly vulnerable to XSS (Cross-site scripting). The web application allows file upload and Acunetix was able to upload a file containing HTML content. When HTML files are allowed, XSS payload can be injected in the file uploaded. Check Attack details for more information about this attack.
Restrict file types accepted for upload: check the file extension and only allow certain files to be uploaded. Use a whitelist approach instead of a blacklist. Check for double extensions such as .php.png. Check for files without a filename like .htaccess (on ASP.NET, check for configuration files like web.config). Change the permissions on the upload folder so the files within it are not executable. If possible, rename the files that are uploaded.
WordPress Plugin TagNinja ‘id‘ Parameter Cross-Site Scripting (1.0)
WordPress Plugin Relevanssi-A Better Search Cross-Site Scripting (4.0.4)
WordPress Plugin Cart66 Lite::WordPress Ecommerce Cross-Site Scripting (1.5.4)
WordPress Plugin Ultimate Member-User Profile & Membership Arbitrary File Upload (1.0.83)
标签:was ESS web app load php types ica dia cut
原文地址:https://www.cnblogs.com/chucklu/p/14479212.html
