DaCode News Message HTML注入漏洞

DaCode News Message HTML注入漏洞

漏洞ID 1106997 漏洞类型 跨站脚本
发布时间 2002-09-25 更新时间 2005-10-20
图片[1]-DaCode News Message HTML注入漏洞-安全小百科CVE编号 CVE-2002-1805
图片[2]-DaCode News Message HTML注入漏洞-安全小百科CNNVD-ID CNNVD-200212-260
漏洞平台 PHP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/21861
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-260
|漏洞详情
DaCode1.2.0版本存在跨站脚本攻击漏洞。远程攻击者借助IMG标签中Javascript注入任意web脚本或HTML。
|漏洞EXP
source: http://www.securityfocus.com/bid/5798/info

Problems with DaCode could make it possible to execute arbitrary script code in a vulnerable client.

DaCode does not sufficiently filter potentially malicious HTML code from news posts. As a result, when a user views a news posting that contains malicious HTML code, the code contained in the posted message would be executed in the browser of the vulnerable user. This will occur in the context of the site running the DaCode software. 

<IMG SRC="javascript:alert('unsecure')">
|参考资料

来源:BID
名称:5798
链接:http://www.securityfocus.com/bid/5798
来源:XF
名称:cms-news-image-xss(10173)
链接:http://www.iss.net/security_center/static/10173.php
来源:BUGTRAQ
名称:20020924ECHUAlert#2:IMGAttackinthenews:6CMSvulnerables
链接:http://archives.neohapsis.com/archives/bugtraq/2002-09/0307.html

相关推荐: Debian邮件列表漏洞

Debian邮件列表漏洞 漏洞ID 1207014 漏洞类型 输入验证 发布时间 1999-06-22 更新时间 2005-05-02 CVE编号 CVE-1999-0742 CNNVD-ID CNNVD-199906-021 漏洞平台 N/A CVSS评分 …

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享