myWebland MyBloggie BBCode img标签 跨站脚本攻击(XSS)漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110220 漏洞类型 跨站脚本
发布时间 2006-05-06 更新时间 2006-05-10
CVE编号 CVE-2006-2269 CNNVD-ID CNNVD-200605-158
漏洞平台 PHP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/27822
https://cxsecurity.com/issue/WLB-2006050054
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200605-158
|漏洞详情
myWeblandMyBloggie2.1.3及之前版本存在跨站脚本攻击(XSS)漏洞。远程攻击者可以借助BBCodeimg标签中的JavaScript事件,注入任意Web脚本或HTML。
|漏洞EXP
source: http://www.securityfocus.com/bid/17865/info

MyBloggie is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content. 

Attacker-supplied HTML and script code would be executed in the context of the affected website, potentially allowing an attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.

[img]javascript:alert('xss')[/img]
|参考资料

来源:BID
名称:17865
链接:http://www.securityfocus.com/bid/17865
来源:BUGTRAQ
名称:20060506myBloggie<=2.1.3XSS
链接:http://www.securityfocus.com/archive/1/archive/1/433126/100/0/threaded
来源:XF
名称:mybloggie-bbcode-image-xss(26295)
链接:http://xforce.iss.net/xforce/xfdb/26295
来源:SREASON
名称:857
链接:http://securityreason.com/securityalert/857