https://www.exploit-db.com/exploits/24036
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200404-079

phProfession2.5版本中的modules.php存在跨站脚本(XSS)漏洞。远程攻击者可以通过jcode参数注入任意的web脚本或HTML。

source: http://www.securityfocus.com/bid/10190/info
  
Multiple vulnerabilities were reported to exist in phProfession, which is a third-party module for PostNuke. Path disclosure, cross-site scripting and SQL injection vulnerabilities were reported.
  
Exploitation of these issues may reveal sensitive information, allow for account hijacking, content manipulation and attacks against the underlying database.
  
These issues were reported to exist in phProfession 2.5. Other versions may also be affected.

http://www.example.com/postnuke0726/modules.php?op=modload&name=phprofession&file=upload&jcode=[xss code here]

来源:XF
名称:phprofession-jcode-xss(15931)
链接:http://xforce.iss.net/xforce/xfdb/15931
来源:www.waraxe.us
链接:http://www.waraxe.us/index.php?modname=sa&id;=21
来源:BID
名称:10190
链接:http://www.securityfocus.com/bid/10190
来源:OSVDB
名称:5624
链接:http://www.osvdb.org/5624
来源:SECUNIA
名称:11465
链接:http://secunia.com/advisories/11465
来源:BUGTRAQ
名称:20040421[waraxe-2004-SA#021-Multiplevulnerabilitiesinphprofession2.5moduleforPostNuke]
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=108258931430060&w;=2