XMB Forum 1.6 – Magic Lantern Cross-Site Scripting

XMB Forum 1.6 – Magic Lantern Cross-Site Scripting

漏洞ID 1053583 漏洞类型
发布时间 2002-05-11 更新时间 2002-05-11
图片[1]-XMB Forum 1.6 – Magic Lantern Cross-Site Scripting-安全小百科CVE编号 N/A
图片[2]-XMB Forum 1.6 – Magic Lantern Cross-Site Scripting-安全小百科CNNVD-ID N/A
漏洞平台 PHP CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/21447
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/4721/info

XMB Forum 1.6 Magic Lantern is a web-based discussion forum. It is vulnerable to a number of cross-site scripting issues because of improper filtering of user input.

1. The first involves 'member.php'; submitting script to the variable 'member' in the context of 'action=viewpro' (profile viewing) will cause that script to be returned as an error message.

2. The second involves the 'MSN' information field of a user profile; a registered user can submit script to this field without it being filtered.

3. The third issue can be exploited by submitting a '<script>' tag encoded as '%253Cscript%253E' (note that the percent sign is encoded as '%25', and '3C' and '3E' are the '<' and '>' brackets) to the username variable in the context of 'action=reg' to 'member.php'. 

member.php?action=viewpro&member=<form%20name=o><input%20name=u%20value=XSS></form><script>alert(document.o.u.value)</script>

member.php?action=reg&username=%253Cscript%253E&... .

相关推荐: AIX sccsdiff Insecure Temporary File Creation Vulnerability

AIX sccsdiff Insecure Temporary File Creation Vulnerability 漏洞ID 1104934 漏洞类型 Origin Validation Error 发布时间 1998-06-30 更新时间 1998-06…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享