Title: DotText Cross-Site Scripting Vulnerability
Author: lake2, http://lake2.0x54.org
Bugtraq ID: 13450
Published: Apr 30 2005 12:00AM
Description:
DotText is an open source weblog system started by Scott Watermasysk with ASP.NET. Some weblog system is base on dottext. You can download it in http://www.gotdotnet.com/Community/Workspaces/workspace.aspx?id=e99fccb3-1a8c-42b5-90ee-348f6b77c407
Where is the bug ?
Referrers.aspx.cs
---------------
if (dataContainer is Referrer)
{
Referrer referrer = (Referrer) dataContainer;
return "<a href=/"" + referrer.ReferrerURL + "/" target=/"_new/">" + referrer.ReferrerURL.Substring(0,referrer.ReferrerURL.Length > 50 ? 50 : referrer.ReferrerURL.Length) + "</a>";
}
---------------
The showed referer isn't encoded with htmlencode , a attacker can construct a referer like as http://X/<script>alert('China')</script> to perform a cross site scripting attack if the blog system isn't disable referer show.
PS: CSDN Blog was base on GotDotNet DotText 0.95 , but now it is CSDN & Donews 0.99 , no referer 
