Invision Power Board 'D22-Shoutbox'跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1189345 漏洞类型 跨站脚本
发布时间 2007-08-22 更新时间 2007-08-22
CVE编号 CVE-2007-4487 CNNVD-ID CNNVD-200708-368
漏洞平台 N/A CVSS评分 4.3
|漏洞来源
https://www.securityfocus.com/bid/81590
https://cxsecurity.com/issue/WLB-2007080116
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200708-368
|漏洞详情
InvisionPowerBoard(IPBorIP.Board)的D22-Shoutbox中存在跨站脚本攻击漏洞。远程攻击者可以借助未明向量,注入任意web脚本或HTML。
|漏洞EXP
[HSC] Invision Power Board D22-Shoutbox HTML Injections

D22-Shoutbox suffers from improper validation of HTMl tags filtration. 
An attacker may leverage this issue to have arbitrary script code execute
in the browser of an unsuspecting user in the context of the affected site.
This may help the attacker steal cookie-based authentication credentials and
launch other attacks. A successful script could allow an attacker to compromise
the application, access or modify data, or exploit vulnerabilities in the
underlying database implementation.

Hackers Center Security Group (http://www.hackerscenter.com)
Credit: Doz

Class: Input Validation Error

Remote: Yes
Local: N/A

Product: D22-Shoutbox
Version:  N/A
Vendor:  http://www.dscripting.com/

Exploit is not needed, Attackers can exploit these issues via a web client.

Only becoming a hacker you can stop a hacker. Were can you learn with out having
to pay thousands!- http://kit.hackerscenter.com - The most comprehensive security
pack you will ever find on the net!
|受影响的产品
Dscripting.Com D22-Shoutbox 0
|参考资料

来源:BUGTRAQ
名称:20070821InvisionPowerBoardD22-ShoutboxHTMLInjections
链接:http://www.securityfocus.com/archive/1/archive/1/477224/100/0/threaded
来源:MISC
链接:http://www.hackerscenter.com/Archive/view.asp?id=27873
来源:OSVDB
名称:38356
链接:http://osvdb.org/38356
来源:XF
名称:d22shoutbox-unspecified-xss(36139)
链接:http://xforce.iss.net/xforce/xfdb/36139
来源:SREASON
名称:3051
链接:http://securityreason.com/securityalert/3051