MyBloggie 多个跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112024 漏洞类型 跨站脚本
发布时间 2007-01-17 更新时间 2007-01-21
CVE编号 CVE-2007-0353 CNNVD-ID CNNVD-200701-306
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/29492
https://cxsecurity.com/issue/WLB-2007010070
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200701-306
|漏洞详情
myBloggie2.1.5版本的(1)index.php和(2)login.php中存在跨站脚本攻击漏洞。远程攻击者可以借助PATH_INFO字符串,注入任意的web脚本或HTML。
|漏洞EXP
source: http://www.securityfocus.com/bid/22097/info
 
MyBloggie is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
 
An attacker may leverage these issues to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
 
These issues affect version 2.1.5; other versions may also be affected. 

http://www.example.com/login.php/>">[xss]
|参考资料

来源:BID
名称:22097
链接:http://www.securityfocus.com/bid/22097
来源:BUGTRAQ
名称:20070117[x0n3-h4ck]myBloggie2.1.5XSSexploit
链接:http://www.securityfocus.com/archive/1/archive/1/457206/100/0/threaded
来源:OSVDB
名称:32930
链接:http://osvdb.org/32930
来源:OSVDB
名称:32929
链接:http://osvdb.org/32929
来源:MISC
链接:http://mywebland.com/forums/showtopic.php?t=1224
来源:FULLDISC
名称:20070117[x0n3-h4ck]myBloggie2.1.5XSSexploit
链接:http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0338.html
来源:XF
名称:mybloggie-indexlogin-xss(31554)
链接:http://xforce.iss.net/xforce/xfdb/31554
来源:SECTRACK
名称:1017531
链接:http://securitytracker.com/id?1017531
来源:SREASON
名称:2155
链接:http://securityreason.com/securityalert/2155