Ledscripts LedForums多个字段HTML注入漏洞

Ledscripts LedForums多个字段HTML注入漏洞

漏洞ID 1107554 漏洞类型 跨站脚本
发布时间 2003-10-30 更新时间 2005-10-20
图片[1]-Ledscripts LedForums多个字段HTML注入漏洞-安全小百科CVE编号 CVE-2003-1197
图片[2]-Ledscripts LedForums多个字段HTML注入漏洞-安全小百科CNNVD-ID CNNVD-200310-091
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/23313
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200310-091
|漏洞详情
Ledscripts.comLedForumsBeta1版本中的index.php存在跨站脚本(XSS)漏洞。远程攻击者可以通过(1)top_message参数或(2)新线程的主题字段来注入任意Web脚本或HTML。
|漏洞EXP
source: http://www.securityfocus.com/bid/8934/info

It has been reported that LedForums is prone to a HTML injection vulnerability that may allow an attacker to execute HTML code in a user's browser. The issue is reported to be present in the 'top_message' and 'topic' fields. This problem is due to insufficient sanitization of user-supplied input.

Successful exploitation of this vulnerability may allow an attacker to steal cookie-based authentication credentials. Other attacks are also possible.

LedForums Beta 1 has been reported to be vulnerable to this issue.

http://www.example.com/~path/index.php?top_message=<script>alert(document.cookie)</script>
http://www.example.com/~path/index.php?top_message=<h1>OWNED?%20*g*</h1>

<script>window.location='http://www.example.org'</script>
|参考资料

来源:XF
名称:ledforums-topicfield-redirect(13563)
链接:http://xforce.iss.net/xforce/xfdb/13563
来源:XF
名称:ledforums-indexphp-xss(13562)
链接:http://xforce.iss.net/xforce/xfdb/13562
来源:BID
名称:8934
链接:http://www.securityfocus.com/bid/8934
来源:BUGTRAQ
名称:20031030MultipleVulnerabilitiesinLed-Forums
链接:http://www.securityfocus.com/archive/1/342913
来源:SECUNIA
名称:10113
链接:http://secunia.com/advisories/10113

相关推荐: IRIX NetWare Client ipxlink,ipxchk权限许可和访问控制漏洞

IRIX NetWare Client ipxlink,ipxchk权限许可和访问控制漏洞 漏洞ID 1207374 漏洞类型 未知 发布时间 1998-04-08 更新时间 1998-04-08 CVE编号 CVE-1999-1040 CNNVD-ID CN…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享