跨站点脚本攻击Cross-site scripting (XSS) 是Web编程中常见的一种计算机安全隐患，他有可能使黑客通过一个精心设计的链接，进行脚本注入运行有害代码，从而有可能获取服务器的控制权进而从事其他有害活动。下面是摘自WIKIPedia的解释：

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites were roughly 80% of all security vulnerabilities documented by Symantec as of 2007.^[1] Their impact may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site, and the nature of any security mitigations implemented by the site's owner.

这个问题首先是有温哥华（Vancouve）在冬奥会前的一次安全检查中发现的，Autodesk和MapGuide OSGeo开源社区及时做了研究，并推出了这个安全补丁。如果你的MapGuide站点是供互联网公开访问的，建议你下载安装这个安全补丁。下载地址http://usa.autodesk.com/adsk/servlet/ps/dl/item?siteID=123112&id=14915431&linkID=9242179 

Published date: 2010-Mar-30 
ID: DL14915431

Applies to:
Autodesk MapGuide® Enterprise 2010

The following security hotfix addresses these issues:

1255324 - Cross Site Scripting vulnerabilities have been discovered in the MGE 2010 AJAX Viewer

These files can be applied to MGE 2010 Update 1 (TBWeb Update 1) or MGE 2010 Update 1b only.

mge_2010_security_hotfix_1255324.zip (zip - 198Kb)

  Readme (select language version):

• English
• French
• German
• Italian
• Japanese
• Spanish

针对MapGuide OpenSource的安全更新也将于明天发布。

下面我们从源码上简单分析一下这个问题。在MapGuide AjaxViewer中，其中某些页面需要接收参数，如下所示

http://ServerName/mapguide2010/mapviewerajax/mapframe.aspx?LOCALE= [LOCALE parameter]

http://ServerName/mapguide2010/mapviewerajax/mapframe.aspx?MAPDEFINITION= [MAPDEFINITION parameter]

…

我们看其中一个mapframe.aspx获取LOCALE的参数的相关源码，页面加载时会调用GetRequestParameters();来获取相关参数。

<script runat="server">

void GetRequestParameters()
{
    if ("POST"== Request.HttpMethod)
    {
        GetParameters(Request.Form);
    }
    else
    {
        GetParameters(Request.QueryString);
    }
}

void GetParameters(NameValueCollection parameters)
{
    type = GetParameter(parameters, "TYPE");

    locale = GetParameter(parameters, "LOCALE");
    if(locale == "")
        locale = GetDefaultLocale();

    … …

}

GetParameter的定义在common.aspx中

String GetParameter(NameValueCollection parameters, String name)
{
    String strval = parameters[name];
    if (null == strval)
        return ""; 

    return strval.Trim();
}

注意这里并为对参数做特殊检查，如何黑客输入一些精心设计的脚本代码作为参数，形如<script> *&(**&bad code goes here ^&&*&&**$##$%$%## </script>,那就有可能会给MapGuide站点造成损失。

其实补救办法也比较简单，就是我再加一道防线，对客户输入的参数进行验证，从而把恶意代码当在门外。在我们的补丁中做了如下修改：

void GetParameters(NameValueCollection parameters)
{
    type = GetParameter(parameters, "TYPE"); // "DWF" or other
    sessionId = ValidateSessionId(GetParameter(parameters, "SESSION"));
    locale = ValidateLocaleString(GetParameter(parameters, "LOCALE"));
   // ... ...
    
    mapDefinition = ValidateResourceId(GetParameter(parameters, "MAPDEFINITION"));
}

用正则表达式来验证一下：

String ValidateLocaleString(String proposedLocaleString)
{
    // aa or aa-aa
    String validLocaleString = GetDefaultLocale(); // Default
    if(proposedLocaleString != null && (System.Text.RegularExpressions.Regex.IsMatch(proposedLocaleString, "^[A-Za-z]{2}$") || 
        System.Text.RegularExpressions.Regex.IsMatch(proposedLocaleString, "^[A-Za-z]{2}-[A-Za-z]{2}$")))
    {
        validLocaleString = proposedLocaleString;
    }
    return validLocaleString;
}

好了，现在放心多了！ 如果你的系统还没打补丁的话，下载补一下吧。

这里讨论的是.net 版本的，Java版本和PHP版本也有同样的问题，并且有对应的补丁，你可以下载安装，再发一下地址http://usa.autodesk.com/adsk/servlet/ps/dl/item?siteID=123112&id=14915431&linkID=9242179 

峻祁连(Daniel Du)