XMB Forum多个输入验证漏洞

XMB Forum多个输入验证漏洞

漏洞ID 1107742 漏洞类型 跨站脚本
发布时间 2004-02-23 更新时间 2005-10-20
图片[1]-XMB Forum多个输入验证漏洞-安全小百科CVE编号 CVE-2004-0322
图片[2]-XMB Forum多个输入验证漏洞-安全小百科CNNVD-ID CNNVD-200402-089
漏洞平台 PHP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/23746
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200402-089
|漏洞详情
XMB1.8最终版SP2存在多个跨站脚本(XSS)漏洞。远程攻击者可以像其他用户样借助(1)member.php中的member参数,(2)u2uadmin.php中的uid参数,(3)editprofile.php中的user参数,(4)bbcode被允许时align标签的onmouseover事件,或者(5)bbcode被允许时img标签执行任意脚本。
|漏洞EXP
source: http://www.securityfocus.com/bid/9726/info
 
XMB Forum has been reported prone to multiple cross-site scripting, HTML injection and SQL injection vulnerabilities. The issues present themselves due to insufficient sanitization of remote user supplied data. An attacker may exploit any one of these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user or to have malicious SQL queries executed in the underlying database.

http://www.example.com/xmb18sp2/editprofile.php?user=x"><%73cript>alert(document.cookie);</%73cript>
|参考资料

来源:XF
名称:xmb-multiple-scripts-xss(15292)
链接:http://xforce.iss.net/xforce/xfdb/15292
来源:BID
名称:9726
链接:http://www.securityfocus.com/bid/9726
来源:BUGTRAQ
名称:20040223[waraxe-2004-SA#004]-MultiplevulnerabilitiesinXMB1.8PartagiumFinalSP2
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=107756526625179&w;=2
来源:XF
名称:xmb-bbcode-execute-code(15294)
链接:http://xforce.iss.net/xforce/xfdb/15294
来源:www.xmbforum.com
链接:http://www.xmbforum.com/community/boards/viewthread.php?tid=746859
来源:BUGTRAQ
名称:20040225Re:[waraxe-2004-SA#004]-MultiplevulnerabilitiesinXMB1.8PartagiumFinalSP2
链接:http://archives.neohapsis.com/archives/bugtraq/2004-02/0645.html

相关推荐: IBM Infoprint Printers远程管理缓冲区溢出漏洞

IBM Infoprint Printers远程管理缓冲区溢出漏洞 漏洞ID 1203331 漏洞类型 缓冲区溢出 发布时间 2002-12-31 更新时间 2002-12-31 CVE编号 CVE-2002-2372 CNNVD-ID CNNVD-20021…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享