PHP跨站脚本漏洞

PHP跨站脚本漏洞

漏洞ID 1107047 漏洞类型 跨站脚本
发布时间 2002-10-12 更新时间 2002-12-31
图片[1]-PHP跨站脚本漏洞-安全小百科CVE编号 CVE-2002-1954
图片[2]-PHP跨站脚本漏洞-安全小百科CNNVD-ID CNNVD-200212-558
漏洞平台 PHP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/22725
https://www.securityfocus.com/bid/82859
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-558
|漏洞详情
PHP4.2.3版本的phpinfo函数存在跨站脚本(XSS)漏洞。远程攻击者可以借助query字符串参数注入任意web脚本或HTML,正如使用soinfo.php。
|漏洞EXP
source: http://www.securityfocus.com/bid/7805/info

Scripts that include the PHP phpinfo() debugging function may be prone to cross-site scripting attacks. This could permit remote attackers to create a malicious link to a vulnerable PHP script that includes hostile client-side script code or HTML. If this link is visited, the attacker-supplied code may be rendered in the browser of the user who visit the malicious link. 

http://www.example.com/info.php?variable=[code]

where [code] equals hostile HTML or script code.
|受影响的产品
PHP PHP 4.2.3

+

EnGarde Secure Linux 1.0.1

+

MandrakeSoft Corporate Server 2.1 x86_64

+

MandrakeSoft Corporate Serv

|参考资料

来源:www.techie.hopto.org
链接:http://www.techie.hopto.org/vulns/2002-36.txt
来源:XF
名称:php-phpinfo-xss(10355)
链接:http://www.iss.net/security_center/static/10355.php
来源:VULNWATCH
名称:20021013PHPInformationFunctionsMayAllowCross-SiteScripting
链接:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0021.html
来源:BUGTRAQ
名称:20030603PHPXSSexploitinphpinfo()
链接:http://archives.neohapsis.com/archives/bugtraq/2003-06/0027.html

相关推荐: PHPWebSite News Message HTML Injection Vulnerability

PHPWebSite News Message HTML Injection Vulnerability 漏洞ID 1101543 漏洞类型 Input Validation Error 发布时间 2002-09-25 更新时间 2002-09-25 CVE编…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享