Working Resources BadBlue cleanSearchString()跨站脚本漏洞

Working Resources BadBlue cleanSearchString()跨站脚本漏洞

漏洞ID 1106834 漏洞类型 跨站脚本
发布时间 2002-07-08 更新时间 2005-10-20
图片[1]-Working Resources BadBlue cleanSearchString()跨站脚本漏洞-安全小百科CVE编号 CVE-2002-1683
图片[2]-Working Resources BadBlue cleanSearchString()跨站脚本漏洞-安全小百科CNNVD-ID CNNVD-200212-100
漏洞平台 Windows CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/21599
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-100
|漏洞详情
BadBluePersonalEdition1.7.3版本存在跨站脚本(XSS)漏洞。远程攻击者作为其他用户通过注入脚本到cleanSearchString()函数执行任意脚本。
|漏洞EXP
source: http://www.securityfocus.com/bid/5179/info

BadBlue is a P2P file sharing application distributed by Working Resources. It is designed for use on Microsoft Windows operating systems. BadBlue is operated through a web interface, generated by an included web server running on the local system.

A variant to BID 5086 has been reported to exist. Reportedly, EXT.DLL has been re-designed to pass user input to the cleanSearchString function. Unfortunately, this function is implemented as client side javascript, and unsanitized input must be displayed on the client machine as it is passed to the cleanSearchString function.

Additionally, user supplied input is displayed as the hidden form value "a0" without being sanitized. 

"hi"'));alert("ZING!!!");document.write(cleanSearchString('a

"><script>alert("ZING!!!");</script><
|参考资料

来源:XF
名称:badblue-cleansearchstring-xss(9514)
链接:http://xforce.iss.net/xforce/xfdb/9514
来源:BID
名称:5179
链接:http://www.securityfocus.com/bid/5179

相关推荐: Fusion SBX 1.2 – Remote Command Execution

Fusion SBX 1.2 – Remote Command Execution 漏洞ID 1055116 漏洞类型 发布时间 2005-05-20 更新时间 2005-05-20 CVE编号 N/A CNNVD-ID N/A 漏洞平台 PHP CVSS评分…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享