cPanel跨站脚本漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107408 漏洞类型 跨站脚本
发布时间 2003-07-07 更新时间 2003-08-18
CVE编号 CVE-2003-0521 CNNVD-ID CNNVD-200308-100
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/22874
https://www.securityfocus.com/bid/82752
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200308-100
|漏洞详情
cPanel6.4.2版本存在跨站脚本(XSS)漏洞。远程攻击者可以借助在经由(1)ErrorLog或(2)LatestVisitors屏幕显示时被记录但没被正确引用的URL中的脚本,插入任意HTML并且可能提升cPanel管理员特权。
|漏洞EXP
source: http://www.securityfocus.com/bid/8119/info

cPanel is prone to an HTML injection vulnerability. It is possible for remote attacks to include hostile HTML and script code in requests to cPanel, which will be logged. When logs are viewed by an administrative user, the injected code could be rendered in their browser in the context of the site hosting cPanel.

GET /<script>alert(document.cookie);</script> HTTP/1.0
Host: www.example.com
|受影响的产品
cPanel cPanel 6.4.2 cPanel cPanel 6.4.1 cPanel cPanel 6.4.2 Stable 48 cPanel cPanel 6.4 cPanel cPanel 6.2 cPanel cPanel 6.0 cPanel cPanel 5.3
|参考资料

来源:BUGTRAQ
名称:20030706cPanelMaliciousHTMLTagsInjectionVulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=105760556627616&w=2