W-Agora EditForm.PHP跨站脚本漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107141 漏洞类型 跨站脚本
发布时间 2002-12-22 更新时间 2006-01-24
CVE编号 CVE-2002-2129 CNNVD-ID CNNVD-200212-157
漏洞平台 PHP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/22109
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-157
|漏洞详情
w-Agora4.1.5版本的editform.php存在跨站脚本(XSS)漏洞。远程攻击者借助任意包含脚本的表单字段名执行任意web脚本,该漏洞在显示表单时回送检验。
|漏洞EXP
source: http://www.securityfocus.com/bid/6464/info

W-Agora is a freely available, open source PHP forum software package. It is available for Unix and Linux systems.

A problem with W-Agora may make cross-site scripting attacks possible.

It has been reported that W-Agora has a vulnerability in the handling of script code. It is possible to format a malicious link containing arbitrary script code or HTML that when clicked on would execute in the security context of the vulnerable site. This would result in a browser security violation, and could lead to the theft of authentication cookies of administrators.

<URL:/editform.php?site=agora&blah=">Bug!>
|参考资料

来源:XF
名称:wagora-editform-xss(10920)
链接:http://xforce.iss.net/xforce/xfdb/10920
来源:BID
名称:6464
链接:http://www.securityfocus.com/bid/6464
来源:BUGTRAQ
名称:20021219XSSandPHPincludebuginW-Agora
链接:http://archives.neohapsis.com/archives/bugtraq/2002-12/0225.html
来源:BUGTRAQ
名称:20021220Re:XSSandPHPincludebuginW-Agora
链接:http://archives.neohapsis.com/archives/bugtraq/2002-12/0222.html