eXV2 CMS 跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1189442 漏洞类型 跨站脚本
发布时间 2007-08-15 更新时间 2007-08-15
CVE编号 CVE-2007-4365 CNNVD-ID CNNVD-200708-241
漏洞平台 N/A CVSS评分 4.3
|漏洞来源
https://www.securityfocus.com/bid/81601
https://cxsecurity.com/issue/WLB-2007080088
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200708-241
|漏洞详情
eXV2CMS2.0.5版本及其早期版本中存在跨站脚本攻击漏洞。远程攻击者可以借助对未明组件的一个set_langcookie,注入任意web脚本或HTML。注意:该漏洞可能覆盖CVE-2007-1965。
|漏洞EXP
Details
=======
Product: eXV2.de CMS <= 2.0.5.
Severity: moderated
Remote-Exploit: yes
Vendor-URL: http://www.exv2.de/
Vendor-Status: informed
Advisory-Status: published

Credits
============
Discovered by: Vision aka n-tier
http://www.i-s-o.org

Original Advisory:
============
http://www.i-s-o.org/security.txt

Introduction
============
eXV2.de CMS is a Content Management System.

More Details
============
1. Cross Site Scripting:
Input passed directly to the "set_lang" parameter in the Browser Cookie is not properly sanitised before being returned to the user.
A user can sent a cookie to himself with ?/set_lang=deutsch and edit it.  
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Workaround: [Cross Site Scripting]
=============
Edit the source code to ensure that input is properly sanitised.

Example:

$my_Cookie_Vars =  $_COOKIE;

if (isset($my_Cookie_Vars['set_lang'])){
    if (($my_Cookie_Vars['set_lang'] == "deutsch")||($my_Cookie_Vars['set_lang'] == "english")||($my_Cookie_Vars['set_lang'] == "french")) {                       
        }  else {
            $abuse = true;
            $xoopsConfig['language'] = $xoopsConfig['default_language'];                 
        }    
}

if ($abuse){
    die("The desired action could not be performed.");
}

History/Timeline
================
7.08.2007 discovery of the vulnerabilities
8.08.2007 additional tests with other versions
10.08.2007 contacted the vendor
|受影响的产品
exV2 Content Management System 2.0.5
|参考资料

来源:BUGTRAQ
名称:20070813eXV2.deBrowserCookieisnotproperlysanitised
链接:http://www.securityfocus.com/archive/1/archive/1/476287/100/0/threaded
来源:MISC
链接:http://www.i-s-o.org/security.txt
来源:OSVDB
名称:36479
链接:http://osvdb.org/36479
来源:XF
名称:exv2-setlang-xss(35992)
链接:http://xforce.iss.net/xforce/xfdb/35992
来源:SREASON
名称:3021
链接:http://securityreason.com/securityalert/3021