四个高级漏洞:
1.三个表单字段没有过滤特殊字符,在前台和后台特殊字符处理(用户名、密码、验证码都不能包含特殊字符)
2.密码的MD5加密,
MD5加密的JQuery插件:http://download.csdn.net/detail/chaobin05240108/6764397
修改的文件:登录界面、修改密码、重置密码的前台界面
登录界面最好不要用form提交,用js提交,window.location=”xxx.action?sdfs=sfsf”;
同时前台界面最好不要出现<form> …</form>标签
一个中级漏洞:启用了不安全的HTTP方法
http的权限问题,这个需要修改tomcat的web.xml
A.需要找到:Tomcat 6.0\conf\web.xml
(1)添加:
<security-constraint>
<web-resource-collection>
<web-resource-name>xjtrace2admin</web-resource-name><!– GET, HEAD, POST, PUT, DELETE , OPTIONS –>
<url-pattern>/*</url-pattern>
<http-method>SEARCH</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>COPY</http-method>
<http-method>MOVE</http-method>
<http-method>PROPFIND</http-method>
<http-method>PROPPATCH</http-method>
<http-method>MKCOL</http-method>
<http-method>LOCK</http-method>
<http-method>UNLOCK</http-method>
</web-resource-collection>
<auth-constraint>
<role-name></role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name></role-name>
</security-role>
(2)找到
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
在后面添加
<init-param>
<param-name>readonly</param-name>
<param-value>true</param-value>
</init-param>
B.tomcat控制台文件夹的删除
需要找到:Tomcat 6.0\webapps\
删除:ROOT 、 examples、docs 三个文件夹。