Gphotos 多个跨站脚本攻击(XSS) 漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110265 漏洞类型 跨站脚本
发布时间 2006-05-13 更新时间 2006-05-16
CVE编号 CVE-2006-2397 CNNVD-ID CNNVD-200605-265
漏洞平台 PHP CVSS评分 5.8
|漏洞来源
https://www.exploit-db.com/exploits/27865
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200605-265
|漏洞详情
GPhotos1.5及之前版本存在多个跨站脚本攻击(XSS)漏洞。远程攻击者可以借助对(a)index.php或(b)diapo.php的(1)rep参数,或对(c)affich.php的(2)image参数,注入任意Web脚本或HTML。
|漏洞EXP
source: http://www.securityfocus.com/bid/17967/info
 
Gphotos is prone to multiple input-validation vulnerabilities. The issues include information-disclosure and cross-site scripting vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input. 
 
A successful exploit of these vulnerabilities could allow an attacker to compromise the application, access or modify data, or steal cookie-based authentication credentials. Other attacks are also possible.
 
http://www.example.com/diapo.php?rep=[xss]
|参考资料

来源:BID
名称:17967
链接:http://www.securityfocus.com/bid/17967
来源:BUGTRAQ
名称:20060513GphotosDirectoryTraversalandCrossSiteScripting
链接:http://www.securityfocus.com/archive/1/archive/1/433936/100/0/threaded
来源:VUPEN
名称:ADV-2006-1806
链接:http://www.frsirt.com/english/advisories/2006/1806
来源:SECUNIA
名称:20095
链接:http://secunia.com/advisories/20095
来源:XF
名称:gphotos-multiple-xss(26426)
链接:http://xforce.iss.net/xforce/xfdb/26426
来源:OSVDB
名称:25499
链接:http://www.osvdb.org/25499
来源:OSVDB
名称:25498
链接:http://www.osvdb.org/25498
来源:OSVDB
名称:25497
链接:http://www.osvdb.org/25497
来源:SREASON
名称:906
链接:http://securityreason.com/securityalert/906