PHPWebSite Article.PHP跨站脚本漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106995 漏洞类型 跨站脚本
发布时间 2002-09-25 更新时间 2006-03-03
CVE编号 CVE-2002-2178 CNNVD-ID CNNVD-200212-539
漏洞平台 PHP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/21864
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-539
|漏洞详情
phpWebSite0.8.3版本的article.php模块存在跨站脚本(XSS)漏洞。远程攻击者可以借助sid参数执行任意Javascript脚本,正如使用IMG标签。
|漏洞EXP
source: http://www.securityfocus.com/bid/5802/info

Problems with phpWebSite could make it possible to execute arbitrary script code in a vulnerable client.

phpWebSite does not sufficiently filter potentially malicious HTML code from news posts. As a result, when a user views a news posting that contains malicious HTML code, the code contained in the posted message would be executed in the browser of the vulnerable user. This will occur in the context of the site running the phpWebSite software. 

<IMG SRC="javascript:alert('unsecure')">
|参考资料

来源:BID
名称:5864
链接:http://www.securityfocus.com/bid/5864
来源:BUGTRAQ
名称:20021002phpWebSiteXSSVulnerability
链接:http://www.securityfocus.com/archive/1/293879
来源:XF
名称:phpwebsite-img-article-xss(10256)
链接:http://www.iss.net/security_center/static/10256.php