Agora.CGI跨站脚本执行漏洞

Agora.CGI跨站脚本执行漏洞

漏洞ID 1106545 漏洞类型 未知
发布时间 2001-12-17 更新时间 2005-05-02
图片[1]-Agora.CGI跨站脚本执行漏洞-安全小百科CVE编号 CVE-2001-1199
图片[2]-Agora.CGI跨站脚本执行漏洞-安全小百科CNNVD-ID CNNVD-200112-110
漏洞平台 CGI CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/21184
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200112-110
|漏洞详情
Agora.cgi是一个免费,开放源码的网上售货系统。Agora.cgi存在跨站脚本执行漏洞,可以使攻击者通过窃取Cookie等手段获得敏感信息。攻击者可以在运行了Agora.cgi的Web页面上放置包含了任意脚本代码的链接,用户如果点击了该链接,则脚本就会在用户Web浏览器环境下执行。攻击者可能借此收集到用户当前的Cookie,这些Cookie中可能包含有敏感信息。已经证实3.3e版的软件是有此问题的,其它以下的低版本可能也有此问题。
|漏洞EXP
source: http://www.securityfocus.com/bid/3702/info

Agora.cgi is a freely available, open source shopping cart system.

When debug mode is enabled, the Agora.cgi script does not adequately filter HTML tags when debug information is being output. Debug mode is not enabled by default and must be explicitly turned on by an administrator.

As a result, it is possible for an attacker to construct a link to the script that includes maliciously constructed script code. When the link is clicked by a web user, the script code will be executed by the client in the context of the site running Agora.cgi.

This issue may be exploited to by an attacker to steal cookie-based authentication credentials, permitting the attacker to hijack an Agora.cgi session and perform actions as a legitimate user. A number of other cross-site scripting attacks are also possible.

http://agorasite/store/agora.cgi?cart_id=<script>alert(document.cookie)</script>&xm=on&product=HTML
|参考资料

来源:BID
名称:3702
链接:http://www.securityfocus.com/bid/3702
来源:BUGTRAQ
名称:20011217Agoracgiv3.3eCrossSiteScriptingVulnerability
链接:http://www.securityfocus.com/archive/1/246044
来源:XF
名称:agora-cgi-css(7708)
链接:http://www.iss.net/security_center/static/7708.php
来源:www.agoracgi.com
链接:http://www.agoracgi.com/security.html
来源:OSVDB
名称:698
链接:http://www.osvdb.org/698

相关推荐: PHPWebThings Utility Script Direct Access Vulnerability

PHPWebThings Utility Script Direct Access Vulnerability 漏洞ID 1102549 漏洞类型 Access Validation Error 发布时间 2002-01-29 更新时间 2002-01-29 …

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享