Sage内容管理系统跨站脚本漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107212 漏洞类型 跨站脚本
发布时间 2003-02-20 更新时间 2006-01-17
CVE编号 CVE-2003-1243 CNNVD-ID CNNVD-200312-339
漏洞平台 Windows CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/22270
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-339
|漏洞详情
Sage1.0b3版本存在跨站脚本漏洞(XSS)。远程攻击者可以借助mod参数注入任意HTML或web脚本。
|漏洞EXP
source: http://www.securityfocus.com/bid/6894/info

Sage is prone to a cross site scripting vulnerability.

This issue is due to insufficient sanitization of input submitted in URI parameters. As a result, an attacker may create a malicious link to a site hosting Sage, which contains malicious HTML or script code.

When such a link is visited by an unsuspecting user, attacker-supplied script code will be interpreted by their web client. 

http://hostname/?mod=<script>alert(document.cookie)</script>&op=browse
|参考资料

来源:XF
名称:sage-mod-xss(11371)
链接:http://xforce.iss.net/xforce/xfdb/11371
来源:BID
名称:6894
链接:http://www.securityfocus.com/bid/6894
来源:BUGTRAQ
名称:20030219XSSandPathDisclosureinSage
链接:http://archives.neohapsis.com/archives/bugtraq/2003-02/0236.html