Hogstorps hogstorp guestbook tabort.asp 输入验证漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110172 漏洞类型 访问验证错误
发布时间 2006-05-01 更新时间 2007-01-05
CVE编号 CVE-2006-2771 CNNVD-ID CNNVD-200606-055
漏洞平台 ASP CVSS评分 6.4
|漏洞来源
https://www.exploit-db.com/exploits/27932
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200606-055
|漏洞详情
Hogstorpshogstorpguestbook2.0中的admin/radera/tabort.asp未验证用户凭证,远程攻击者可通过修改delID参数来删除任意发帖。
|漏洞EXP
source: http://www.securityfocus.com/bid/18205/info

Hogstorps guestbook is prone to an access-authorization vulnerability. The issue occurs because the affected script fails to prompt for authentication credentials. 

An attacker can exploit this issue to delete and modify application data. This could aid in further attacks on the affected computer.

Version 2.0 is vulnerable; other versions may also be affected.

http://www.example.com/[path_of_application]/admin/radera/tabort.asp?delID=119
|参考资料

来源:BID
名称:18205
链接:http://www.securityfocus.com/bid/18205
来源:VUPEN
名称:ADV-2006-2082
链接:http://www.frsirt.com/english/advisories/2006/2082
来源:SECUNIA
名称:20402
链接:http://secunia.com/advisories/20402
来源:MISC
链接:http://colander.altervista.org/advisory/HTGuestBook2.txt
来源:XF
名称:hogstorp-guestbook-redigera2-security-bypass(26979)
链接:http://xforce.iss.net/xforce/xfdb/26979