PHP Server Monitor Cross Site Scripting

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1046091 漏洞类型
发布时间 2012-11-22 更新时间 2012-11-22
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2012110152
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
# Author: loneferret of Offensive Security
# Product: PHP Server Monitor
# Version: 2.0.1 (and maybe older versions)
# Google Dork: intext="Powered by PHP Server Monitor v2.0.1"
# (yes people have made this available on the web)
 
# Software Download: http://sourceforge.net/projects/phpservermon/
  
# Tested on: Ubuntu Linux
 
# Software Description
# PHP Server Monitor is a script that checks whether the servers on your list are up and running on the selected ports.
# It comes with a web based user interface where you can add and remove servers or websites from the MySQL database,
# and you can manage users for each server with a mobile number and email address.
# On the "Add server" page, you can choose
# whether it's a "service" or a "website":
 
# Vulnerability: Stored XSS
# Label name or pretty much any other text field such as IP
# Inserting html code can pretty much screw up the whole page as well.
# PoC:
# <script>alert('xss');</script>
# <script>alert(document.cookie);</script>
# <iframe>something</iframe>
#
 
# There are other things I'm sure