firmCHANNEL Digital Signage 帐户模块 'index.php'跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1116616 漏洞类型 跨站脚本
发布时间 2008-11-04 更新时间 2008-11-06
CVE编号 CVE-2008-4931 CNNVD-ID CNNVD-200811-076
漏洞平台 PHP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/32566
https://www.securityfocus.com/bid/32107
https://cxsecurity.com/issue/WLB-2008110007
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200811-076
|漏洞详情
firmCHANNEL是一个数字标牌系统,通过液晶显示器,发光二极管,等离子显示器或投影仪等设备输出内容。firmCHANNELfirmCHANNEL3.24以及可能之前的版本中的帐户模块存在跨站脚本攻击漏洞。远程攻击者可以借助到index.php的action参数,注入任意的web脚本或HTML。
|漏洞EXP
source: http://www.securityfocus.com/bid/32107/info

firmCHANNEL Indoor & Outdoor Digital SIGNAGE is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

firmCHANNEL Indoor & Outdoor Digital SIGNAGE 3.24 is vulnerable; other versions may also be affected. 

http://www.example.com/index.php?module=account&action=login%3Cscript%3Ealert(%27xss%27);%3C/script%3E
|受影响的产品
firmCHANNEL Indoor & Outdoor Digital SIGNAGE 3.24
|参考资料

来源:BUGTRAQ
名称:20081104FirmChannelDigitalSignage3.24Cross-sitescripting
链接:http://www.securityfocus.com/archive/1/archive/1/498042/100/0/threaded
来源:SREASON
名称:4566
链接:http://securityreason.com/securityalert/4566
来源:SECUNIA
名称:32549
链接:http://secunia.com/advisories/32549
来源:OSVDB
名称:49564
链接:http://osvdb.org/49564