Apache Geronimo跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109636 漏洞类型 跨站脚本
发布时间 2006-01-16 更新时间 2008-08-25
CVE编号 CVE-2006-0254 CNNVD-ID CNNVD-200601-181
漏洞平台 Multiple CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/27096
https://www.securityfocus.com/bid/16260
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200601-181
|漏洞详情
ApacheGeronimo是美国阿帕奇(Apache)软件基金会的一款开源的J2EE服务器产品,该产品具有可伸缩性、可进行配置管理等特点。ApacheGeronimo由于没有正确的验证用户输入,导致Geronimo中存在跨站脚本攻击漏洞,远程攻击者可以利用这些漏洞执行任意代码或窃取敏感信息。
|漏洞EXP
source: http://www.securityfocus.com/bid/16260/info
 
Apache Geronimo is prone to multiple input-validation vulnerabilities because the application fails to properly sanitize user-supplied input.
 
A successful exploit could allow an attacker to compromise the application, access or modify data, or steal cookie-based authentication credentials. The attacker could also exploit this issue to control how the site is rendered to the user; other attacks are also possible. 

http://www.example.com/script-that-dont-has-to-exist.jsp?foobar="/><script>alert(document.cookie)</script>
|受影响的产品
Redhat Red Hat Network Satellite Server 5.0 Redhat Red Hat Network Satellite Server 4.2 Redhat Network Satellite (for RHEL 4) 5.1 Redhat Network Satellite (for RHEL 4) 4.2 Redhat Networ
|参考资料

来源:issues.apache.org
链接:https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12310181&stylename=Html&projectId=10220&Create=Create
来源:issues.apache.orge
链接:https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12310181&stylename=Html&projectId=10220&Create=Create
来源:BID
名称:16260
链接:http://www.securityfocus.com/bid/16260
来源:BUGTRAQ
名称:20060115ApacheGeronimo1.0-CSSandpersistentHTML-Injectionvulnerabilities
链接:http://www.securityfocus.com/archive/1/archive/1/421996/100/0/threaded
来源:MISC
链接:http://www.oliverkarow.de/research/geronimo_css.txt
来源:VUPEN
名称:ADV-2006-0217
链接:http://www.frsirt.com/english/advisories/2006/0217
来源:SECUNIA
名称:18485
链接:http://secunia.com/advisories/18485
来源:MISC
链接:http://issues.apache.org/jira/browse/GERONIMO-1474
来源:XF
名称:geronimo-webaccesslog-viewer-xss(24159)
链接:http://xforce.iss.net/xforce/xfdb/24159
来源:XF
名称:geronimo-jspexamples-xss(24158)
链接:http://xforce.iss.net/xforce/xfdb/24158
来源:REDHAT
名称:RHSA-2008:0261
链接:http://www.redhat.com/suppo