Chi Kien Uong Guestbook HTML注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107548 漏洞类型 跨站脚本
发布时间 2003-10-27 更新时间 2006-09-05
CVE编号 CVE-2003-1136 CNNVD-ID CNNVD-200310-073
漏洞平台 PHP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/23294
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200310-073
|漏洞详情
ChiKienUongGuestbook1.51版本存在跨站脚本(XSS)漏洞。远程攻击者可以通过电子邮件地址或URL中(1)已发布消息的HTML或(2)onmouseover属性中的Javascript注入任意Web脚本或HTML。
|漏洞EXP
source: http://www.securityfocus.com/bid/8896/info

It has been reported that Chi Kien Uong Guestbook may be prone to a cross-site scripting vulnerability that may allow a remote attacker to execute HTML or script code in a user's browser. The problem is reported to present itself due to insufficient sanitization of user-supplied data when posting an e-mail address or URL to the site. It has been reported that double quotes are not filtered therefore an attacker may be able to append malicious script code in order to be executed on a victim's web browser.

Successful exploitation of this attack may allow an attacker to steal cookie-based authentication information.

" onmouseover="alert(document.cookie)
|参考资料

来源:XF
名称:guestbook-doublequotation-xss(13523)
链接:http://xforce.iss.net/xforce/xfdb/13523
来源:XF
名称:guestbook-html-xss(13522)
链接:http://xforce.iss.net/xforce/xfdb/13522
来源:BID
名称:8896
链接:http://www.securityfocus.com/bid/8896
来源:BID
名称:8895
链接:http://www.securityfocus.com/bid/8895
来源:BUGTRAQ
名称:20031026NewVulnerability
链接:http://www.securityfocus.com/archive/1/342475
来源:OSVDB
名称:2718
链接:http://www.osvdb.org/2718
来源:SECTRACK
名称:1008006
链接:http://securitytracker.com/id?1008006
来源:SECUNIA
名称:10080
链接:http://secunia.com/advisories/10080