wellyblog 'edit.php'跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1184544 漏洞类型 跨站脚本
发布时间 2008-11-21 更新时间 2008-11-21
CVE编号 CVE-2008-5205 CNNVD-ID CNNVD-200811-364
漏洞平台 N/A CVSS评分 4.3
|漏洞来源
https://www.securityfocus.com/bid/80808
https://cxsecurity.com/issue/WLB-2008060071
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200811-364
|漏洞详情
wellyblog的edit.php中存在跨站脚本攻击漏洞。远程攻击者可以借助一个添加操作中的articleid参数,注入任意web脚本或HTML。
|漏洞EXP
   Virangar Security Team
  


# Tilte: WellyBlog Open Source Blog Portal Cross Site Scripting Vulnerabilitiy


# Author..................: [the_Edit0r]
# Homepage ...............: [Www.Virangar.net][www.virangar.ir]
# Location ...............: [Iran]
# Software ...............: [WellyBlog Open Source Blog Portal]
# Site Script ............: [http://sourceforge.net/projects/wellyblog/]
# Virangar Team ..........: [ hadihadi,MR.nosrati,black.shadowes,MR.hesy,IGI,Kasra515,N1GHT_F0x ]
# Im Member

--------------------------------------- proof Of Concept ----------------------------------------


  www.example.com/[path]/edit.php?function=add&articleid=[Xss Script]


------------------------------------------ Contact me -------------------------------------------

# Contact me : the_3dit0r[at]Yahoo[dot]coM
# [ Virangar.net]
|受影响的产品
Wellyblog Wellyblog Nil
|参考资料

来源:XF
名称:wellyblog-edit-xss(43433)
链接:http://xforce.iss.net/xforce/xfdb/43433
来源:BUGTRAQ
名称:20080626WellyBlogOpenSourceBlogPortalCrossSiteScriptingVulnerabilitiy
链接:http://www.securityfocus.com/archive/1/archive/1/493710/100/0/threaded
来源:SREASON
名称:4645
链接:http://securityreason.com/securityalert/4645