IBM Lotus Domino HTTP webadmin.nsf Quick Console跨站脚本漏洞

34次阅读
没有评论

IBM Lotus Domino HTTP webadmin.nsf Quick Console跨站脚本漏洞

漏洞ID 1107801 漏洞类型 输入验证
发布时间 2004-03-17 更新时间 2005-10-20
IBM Lotus Domino HTTP webadmin.nsf Quick Console跨站脚本漏洞CVE编号 CVE-2004-2310
 		IBM Lotus Domino HTTP webadmin.nsf Quick Console跨站脚本漏洞CNNVD-ID CNNVD-200412-838
漏洞平台 Windows CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/23837
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-838
|漏洞详情
LotusDomino服务器是一款基于WEB合作的应用程序架构,运行在Linux/Unix和MicrosoftWindows操作系统平台下。LotusDomino服务器的webadmin.nsf中包含的’QuickConsole’功能对用户提交请求缺少充分过滤,远程攻击者可以利用这个漏洞进行跨站脚本执行攻击。’QuickConsole’功能里的”Dominocommand”输入恶意脚本代码,当其他用户浏览此链接时可导致恶意脚本代码在用户浏览器上执行,会使用户基于验证的COOKIE信息泄露。
|漏洞EXP
source: http://www.securityfocus.com/bid/9901/info

It has been reported that Lotus Domino server may be prone to a cross-site scripting vulnerability that may allow a remote attacker to execute HTML or script code in a user's browser. The issue presents itself due to insufficient sanitization of user-supplied data via the 'Quick Console' function of 'webadmin.nsf' administrative interface.

IBM Lotus Domino server 6.5.1 has been reported to be prone to this issue, however, it is possible that other versions are affected as well.

1)Go to http://www.example.com/webadmin.nsf
2)Go to "server" tab
3)Go to "Quick console" in the left column
4)Give as "Domino command" <script>alert(document.cookie)</script>
|参考资料

来源:XF
名称:lotus-domino-webadmin-xss(15502)
链接:http://xforce.iss.net/xforce/xfdb/15502
来源:BID
名称:9901
链接:http://www.securityfocus.com/bid/9901
来源:SECUNIA
名称:11143
链接:http://secunia.com/advisories/11143
来源:members.lycos.co.uk
链接:http://members.lycos.co.uk/r34ct/main/ibm_lotus_domino/lotus.txt
来源:OSVDB
名称:4306
链接:http://www.osvdb.org/4306
来源:NSFOCUS
名称:6184
链接:http://www.nsfocus.net/vulndb/6184

相关推荐: Raven Software Soldier Of Fortune 2 Buffer Overflow Vulnerability

Raven Software Soldier Of Fortune 2 Buffer Overflow Vulnerability 漏洞ID 1097592 漏洞类型 Boundary Condition Error 发布时间 2004-11-23 更新时间 …

正文完
cnnvd http 漏洞
发表至: 网络安全漏洞
2021年4月9日
 0
文章搜索
热门文章
随机文章