工作资源BadBlue EXT.DLL跨站脚本漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106817 漏洞类型 跨站脚本
发布时间 2002-06-23 更新时间 2006-04-21
CVE编号 CVE-2002-1685 CNNVD-ID CNNVD-200212-552
漏洞平台 Windows CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/21576
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-552
|漏洞详情
BadBlueEnterpriseEdition和PersonalEdition1.7版本及1.7.2版本存在跨站脚本漏洞(XSS)。远程攻击者可以通过将脚本注入到ext.dllISAPI来作为其他用户执行任意脚本。
|漏洞EXP
source: http://www.securityfocus.com/bid/5086/info

BadBlue is a P2P file sharing application distributed by Working Resources. The ext.dll ISAPI does not sufficiently sanitize input. Because of this, it is possible for a user to create a custom URL containing script code that, when viewed in a browser by another user, will result in the execution of the script code. This could allow for the execution of malicious JavaScript in the context of a trusted site. 

http://target/ext.dll?MfcISAPICommand=LoadPage&page=search.htx&a0=%3Cscript%3Ealert('lame')%3C/script%3E&a1=0&a2=1&a3=6
|参考资料

来源:XF
名称:badblue-extdll-xss(9513)
链接:http://xforce.iss.net/xforce/xfdb/9513
来源:BID
名称:5086
链接:http://www.securityfocus.com/bid/5086