PSCS VPOP3 Email Server WebAdmin跨站脚本漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107533 漏洞类型 跨站脚本
发布时间 2003-10-22 更新时间 2003-12-31
CVE编号 CVE-2003-1522 CNNVD-ID CNNVD-200312-353
漏洞平台 Multiple CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/23271
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-353
|漏洞详情
PSCSVPOP3WebMailserver2.0e版本和2.0f版本存在跨站脚本(XSS)漏洞。远程攻击者可以借助admin/index.html页的redirect参数注入任意web脚本或HTML。
|漏洞EXP
source: http://www.securityfocus.com/bid/8869/info

It has been reported that PSCS VPOP3 Email Server may be prone to a cross-site scripting vulnerability that may allow a remote attacker to embed malicious HTML and script code in a link. The issue is reported to be present in the WebAdmin utility of the software because of improper sanitization of user-supplied data that will be displayed by the utility.

Successful exploitation of this attack may allow an attacker to steal cookie-based authentication information that could be used to launch further attacks.

PSCS VPOP3 versions 2.0.0e and 2.0.0f have been reported to be prone to this vulnerability, however other versions may be affected as well. 

index.html?redirect=admin/index.html";%0Devil_script;%0D//
|参考资料

来源:BID
名称:8869
链接:http://www.securityfocus.com/bid/8869
来源:www.securiteam.com
链接:http://www.securiteam.com/windowsntfocus/6S00S008KW.html
来源:www.pscs.co.uk
链接:http://www.pscs.co.uk/products/vpop3/whatsnew.html