PHPReactor样式属性HTML注入漏洞

19次阅读
没有评论

PHPReactor样式属性HTML注入漏洞

漏洞ID 1106943 漏洞类型 跨站脚本
发布时间 2002-08-24 更新时间 2002-12-31
PHPReactor样式属性HTML注入漏洞CVE编号 CVE-2002-2424
PHPReactor样式属性HTML注入漏洞CNNVD-ID CNNVD-200212-779
漏洞平台 PHP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/21755
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-779
|漏洞详情
PHP(电抗器)1.2.7PL1版本存在跨站脚本漏洞。远程攻击者可以通过HTML标记的样式属性中的JavaScript注入任意web脚本或HTML。
|漏洞EXP
source: http://www.securityfocus.com/bid/5569/info

php(Reactor) does not sufficiently sanitize HTML from various fields (such as in the body of a message or in profile fields). It is possible to inject arbitrary HTML and script code into these fields.

An attacker may potentially exploit this situation to cause arbitrary HTML and script code to execute in the web client of a user of a vulnerable website. The attacker-supplied code will execute in the context of the vulnerable website. 

<b style="expression(alert(document.cookie))">
|参考资料

来源:BID
名称:5569
链接:http://www.securityfocus.com/bid/5569
来源:XF
名称:phpreactor-style-xss(9958)
链接:http://www.iss.net/security_center/static/9958.php
来源:BUGTRAQ
名称:20020824phpReactor-Cross-SiteScriptingviaSTYLE
链接:http://archives.neohapsis.com/archives/bugtraq/2002-08/0262.html

相关推荐: CasecadeSoft W3Mail Attachment Exposure Vulnerability

CasecadeSoft W3Mail Attachment Exposure Vulnerability 漏洞ID 1101730 漏洞类型 Design Error 发布时间 2002-07-25 更新时间 2002-07-25 CVE编号 N/A CNN…

正文完
 0