YA Book 'index.php' 跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1190843 漏洞类型 跨站脚本
发布时间 2007-04-25 更新时间 2007-04-26
CVE编号 CVE-2007-2265 CNNVD-ID CNNVD-200704-480
漏洞平台 N/A CVSS评分 6.8
|漏洞来源
https://cxsecurity.com/issue/WLB-2007040136
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200704-480
|漏洞详情
YABook存在跨站脚本攻击漏洞。远程攻击者可以借助index.php文件中的署名操作里的城市字段,注入任意的web脚本或HTML。
|漏洞EXP
  .      .        .  
._ | _.  .|_  _. _.;_/
[_)|(_]\_|[ )(_](_.| \.net
|      ._|            
"YA Book 0.98-alpha - Persistent XSS Vulnerability"
	by Omni

1) Infos
---------
Date            : 2007-04-23
Product         : YA Book
Version         : 0.98-alpha - Prior version maybe also be affected
Vendor          : http://sourceforge.net/projects/yabook - http://www.phpee.com/
Vendor Status   : 2007-04-23 -> Not Informed!
		  2007-04-24 -> Informed!

Description     :  YaBook- Ya Book! ...or yet another guestbook. YaBook is a simple but powerful guestbook running on PHP
                   5. It features easy installation and customization, multi-language support, and an administration
                   interface. Various database systems are supported.

Google Dork     : Powered by YaBook 0.98-alpha - "Powered by YaBook 0.98-alpha"

Source          : omnipresent - omni
E-mail          : omnipresent[at]email[dot]it - omni[at]playhack[dot]net
Team            : Playhack.net Security

2) Security Issues
-------------------

--- [ Remote Persistent XSS ] ---
=================================

YA Book is vulnerable to an XSS. A malicous user can put in the City Field HTML or JS code
(in sigin module: http://host/path/index.php?mode=sign) as shown below:

Eg script:

<script>alert("XSS")</script>

The vulnerability exist because the city field is not properly sanitized before being used!

--- [ PoC ] ---
===============

A guest can posts a new message and after put the right captcha :D he can puts in the city field a code like:

<script>location.href="http://host.com"</script>

for a redirect with JS or.. he can injects other (eg: HTML, JS) codes..

3) Patch
--------

Edit the source code to ensure that the input is properly sanitized before being used.
|参考资料

来源:BID
名称:23626
链接:http://www.securityfocus.com/bid/23626
来源:BUGTRAQ
名称:20070424YABook0.98PersistentXSS
链接:http://www.securityfocus.com/archive/1/archive/1/466743/100/0/threaded
来源:OSVDB
名称:35519
链接:http://osvdb.org/35519
来源:XF
名称:yabook-city-xss(33894)
链接:http://xforce.iss.net/xforce/xfdb/33894
来源:SREASON
名称:2629
链接:http://securityreason.com/securityalert/2629