BlogEngine.NET 'blog/search.aspx'跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117543 漏洞类型 跨站脚本
发布时间 2009-04-01 更新时间 2009-04-01
CVE编号 CVE-2008-6476 CNNVD-ID CNNVD-200903-271
漏洞平台 ASP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/32874
https://www.securityfocus.com/bid/34227
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200903-271
|漏洞详情
BlogEngine.NET是一个开放源码的.net博客平台。BlogEngine.NET的blog/search.aspx中存在跨站脚本攻击漏洞。远程攻击者可以借助q参数,注入任意web脚本或HTML。
|漏洞EXP
source: http://www.securityfocus.com/bid/34227/info

BlogEngine.NET is prone to a cross-site scripting vulnerability.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials.

BlogEngine.NET 1.4 is vulnerable; other versions may also be affected.

http://www.example.com/blog/search.aspx?q="><script>alert('ImBeded%20JS')</script>
|受影响的产品
BlogEngine.NET BlogEngine.NET 1.4
|参考资料

来源:XF
名称:blogengine-search-xss(49307)
链接:http://xforce.iss.net/xforce/xfdb/49307
来源:BID
名称:34227
链接:http://www.securityfocus.com/bid/34227
来源:MISC
链接:http://osvdb.org/ref/44/blogengine-search-xss.txt
来源:OSVDB
名称:44290
链接:http://osvdb.org/44290