mcenter MailPost mailpost.exe 跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1108262 漏洞类型 跨站脚本
发布时间 2004-11-03 更新时间 2007-01-02
CVE编号 CVE-2004-1100 CNNVD-ID CNNVD-200501-031
漏洞平台 CGI CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/24721
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200501-031
|漏洞详情
MailPost是一个32位Windows系统中WebServer的CGI程序。MailPost5.1.1sv及之前版本的mailpost.exe存在跨站点脚本攻击漏洞。启用debug模式时,远程攻击者可利用append参数执行任意的web脚本或HTML。
|漏洞EXP
source: http://www.securityfocus.com/bid/11596/info

MailPost is reported prone to a cross-site scripting vulnerability. This issue presents itself due to insufficient sanitization of user-supplied data and can allow an attacker to execute arbitrary HTML and script code in a user's browser.

This vulnerability may allow for theft of cookie-based authentication credentials or other attacks.

MailPost 5.1.1sv is reported prone to this issue. It is possible that other versions are affected as well.

http://www.example.com/scripts/mailpost.exe?*debug*=''&append=<script>alert('Can%20Cross%20Site%20Script')</script>
|参考资料

来源:US-CERT
名称:VU#107998
链接:http://www.kb.cert.org/vuls/id/107998
来源:XF
名称:mailpost-append-xss(17953)
链接:http://xforce.iss.net/xforce/xfdb/17953
来源:BID
名称:11596
链接:http://www.securityfocus.com/bid/11596
来源:MISC
链接:http://www.procheckup.com/security_info/vuln_pr0410.html