Pegasi Web服务器多个输入验证漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107785 漏洞类型 跨站脚本
发布时间 2004-03-11 更新时间 2006-01-19
CVE编号 CVE-2004-2618 CNNVD-ID CNNVD-200412-337
漏洞平台 Linux CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/23803
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-337
|漏洞详情
PegasiWeb服务器(PWS)0.2.2版本存在跨站脚本(XSS)漏洞。远程攻击者可以借助初始'/'(斜线)后直接跟着的URI注入任意web脚本。
|漏洞EXP
source: http://www.securityfocus.com/bid/9847/info
 
Multiple vulnerabilities have been identified in the application that may allow a remote attacker to carry out directory traversal and cross-site scripting attacks. A successful cross-site scripting attack may make it possible for an attacker to create a malicious link to a vulnerable site that includes hostile HTML and script code. This code may be rendered in the browser of a victim user who visits the malicious link and this will occur in the security context of the site hosting the software. The directory traversal vulnerability may allow a malicious user to request files outside of the web-server root directory with directory traversal strings such as '../'.
 
Pegasi Web Server version 0.2.2 has been reported to be prone to these issues, however, it is possible that other versions are affected as well.

http://www.example.com/<script>alert("Test")</script>
|参考资料

来源:BID
名称:9847
链接:http://www.securityfocus.com/bid/9847
来源:www.autistici.org
链接:http://www.autistici.org/fdonato/advisory/pws0.2.2-adv.txt
来源:sourceforge.net
链接:http://sourceforge.net/forum/forum.php?forum_id=359660
来源:SECUNIA
名称:11122
链接:http://secunia.com/advisories/11122
来源:BUGTRAQ
名称:20040314Re:MultipleVulnerabilitiesinPWS0.2.2
链接:http://archives.neohapsis.com/archives/bugtraq/2004-03/0136.html
来源:XF
名称:pws-xss(15436)
链接:http://xforce.iss.net/xforce/xfdb/15436
来源:OSVDB
名称:4255
链接:http://www.osvdb.org/4255
来源:BUGTRAQ
名称:20040311MultipleVulnerabilitiesinPWS0.2.2
链接:http://archives.neohapsis.com/archives/bugtraq/2004-03/0109.html