HLstats 'Hlstats.PHP'跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110910 漏洞类型 跨站脚本
发布时间 2006-08-29 更新时间 2006-08-31
CVE编号 CVE-2006-4454 CNNVD-ID CNNVD-200608-484
漏洞平台 PHP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/28439
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200608-484
|漏洞详情
HLstats1.34的hlstats.php脚本存在跨站脚本攻击(XSS)漏洞,远程攻击者可借助q参数注入任意Web脚本或HTML。
|漏洞EXP
source: http://www.securityfocus.com/bid/19745/info

HLstats is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied data.

Exploiting this issue may help the attacker steal cookie-based authentication credentials and launch other attacks.

Version 1.34 is reportedly affected by this issue; other versions may also be affected.

http://www.example.com/hlstats.php?mode=search&game=cstrike&st=player&q=%22%3CSCRIPT%3Ealert%28%22XSS%22%29%3B%3C%2FSCRIPT%3E%22
|参考资料

来源:BID
名称:19745
链接:http://www.securityfocus.com/bid/19745
来源:OSVDB
名称:28238
链接:http://www.osvdb.org/28238
来源:SECUNIA
名称:21635
链接:http://secunia.com/advisories/21635
来源:FULLDISC
名称:20060829XSSinHLStats1.34
链接:http://archives.neohapsis.com/archives/fulldisclosure/2006-08/0741.html
来源:XF
名称:hlstats-hlstats-xss(28619)
链接:http://xforce.iss.net/xforce/xfdb/28619