Eggblog 跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109654 漏洞类型 跨站脚本
发布时间 2006-01-18 更新时间 2006-01-30
CVE编号 CVE-2006-0350 CNNVD-ID CNNVD-200601-247
漏洞平台 PHP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/27111
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200601-247
|漏洞详情
eggblog2.0中存在跨站脚本攻击(XSS)漏洞,远程攻击者可以通过topic.php的消息字段注入任意Web脚本或HTML。
|漏洞EXP
source: http://www.securityfocus.com/bid/16305/info
 
Eggblog is prone to multiple input validation vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.
 
Successful exploitation of these vulnerabilities could result in a compromise of the application, disclosure or modification of data, the theft of cookie-based authentication credentials. They may also permit an attacker to exploit vulnerabilities in the underlying database implementation. An attacker could also exploit this issue to control how the site is rendered to the user; other attacks are also possible.
 
http://www.example.com/eggblog/forum/topic.php?id=N
message:<XSS>
|参考资料

来源:BID
名称:16305
链接:http://www.securityfocus.com/bid/16305
来源:SECTRACK
名称:1015505
链接:http://securitytracker.com/id?1015505
来源:SECUNIA
名称:18212
链接:http://secunia.com/advisories/18212
来源:MISC
链接:http://evuln.com/vulns/39/summary.html
来源:XF
名称:eggblog-topic-xss(24209)
链接:http://xforce.iss.net/xforce/xfdb/24209
来源:OSVDB
名称:22752
链接:http://www.osvdb.org/22752
来源:BUGTRAQ
名称:20060118[eVuln]eggblogMultipleSQLInjection&XSSVulnerabilities
链接:http://archives.neohapsis.com/archives/bugtraq/2006-01/0371.html