CPanel DNSlook.HTML跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111586 漏洞类型 跨站脚本
发布时间 2006-11-17 更新时间 2007-03-08
CVE编号 CVE-2004-1875 CNNVD-ID CNNVD-200403-142
漏洞平台 PHP CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/29071
https://www.securityfocus.com/bid/21142
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200403-142
|漏洞详情
cPanel9.1.0-R85版本存在多个跨站脚本攻击(XSS)漏洞。远程攻击者借助(1)testfile.html的email参数,(2)erredit.html的file参数,(3)dnslook.html的dns参数,(4)ignorelist.html的account参数,(5)showlog.html的account参数,(6)repairdb.html的db参数,(7)doaddftp.html的login参数(8)editmsg.htm的account参数,或(9)del.html的ip参数注入任意web脚本或HTML。
|漏洞EXP
source: http://www.securityfocus.com/bid/21142/info

Cpanel is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. 

An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

This issue affects version 10; other versions may also be vulnerable.

http://www.example.com/frontend/x/net/dnslook.html?dns=[XSS]
|受影响的产品
cPanel cPanel 10
|参考资料

来源:XF
名称:cpanel-multiple-scripts-xss(15671)
链接:http://xforce.iss.net/xforce/xfdb/15671
来源:www.cirt.net
链接:http://www.cirt.net/advisories/cpanel_xss.shtml
来源:SECUNIA
名称:11244
链接:http://secunia.com/advisories/11244
来源:BUGTRAQ
名称:20040330ExensivecPanelCrossSiteScripting
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=108066561608676&w=2
来源:BID
名称:21142
链接:http://www.securityfocus.com/bid/21142
来源:BID
名称:10002
链接:http://www.securityfocus.com/bid/10002
来源:OSVDB
名称:4243
链接:http://www.osvdb.org/4243
来源:OSVDB
名称:4215
链接:http://www.osvdb.org/4215
来源:OSVDB
名称:4214
链接:http://www.osvdb.org/4214
来源:OSVDB
名称:4213
链接:http://www.osvdb.org/4213
来源:OSVDB
名称:4212
链接:http://www.osvdb.org/4212
来源:OSVDB
名称:4211
链接:http://www.osvdb.org/4211
来源:OSVDB
名称:4210
链接:http://www.osvdb.org/4210
来源:OSVDB
名称:4209
链接:http://www.osvdb.org/4209
来源:OSVDB
名称:4208
链接:http://www.osvdb.org/4208
来源:VUPEN
名称:ADV-2006-4658
链接:http://www.frsirt.com/english/advisories/2006/4658
来源:www.aria-security.com
链接:http://www.aria-security.com