Chipmunk Blogger多个跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1191581 漏洞类型 跨站脚本
发布时间 2007-02-23 更新时间 2007-02-23
CVE编号 CVE-2006-7043 CNNVD-ID CNNVD-200702-468
漏洞平台 N/A CVSS评分 3.5
|漏洞来源
https://www.securityfocus.com/bid/82130
https://cxsecurity.com/issue/WLB-2007030004
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200702-468
|漏洞详情
ChipmunkBlogger中存在多个跨站脚本攻击漏洞。远程认证用户可以在(1)Posts,(2)Profilenames,(3)照片画廊中的URL参数中的javascriptURI中,注入任意的web脚本或HTML。
|漏洞EXP
ChipmunkBlogger improper input sanitizing

Discovered by: Nomenumbra
Date: 6/4/2006
impact:moderate (privilege escalation,possible defacement)

Posts (potentially made by lower-privilege members) and profile names aren't properly sanitized, thus resulting
in being vulnerable to the following kind of XSS injection:

<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

The photo gallery input isn't sanitized either, by giving the following
input as an url we have a nice XSS attack:

javascript:alert(%27xss%27)

Nomenumbra/[0x4F4C]
|受影响的产品
Chipmunk Scripts Chipmunk Blogger 0
|参考资料

来源:XF
名称:chipmunkblogger-multiple-xss(26296)
链接:http://xforce.iss.net/xforce/xfdb/26296
来源:BID
名称:17862
链接:http://www.securityfocus.com/bid/17862
来源:BUGTRAQ
名称:20060506ChipmunkBloggerimproperinputsanitizing
链接:http://archives.neohapsis.com/archives/bugtraq/2006-05/0104.html
来源:SREASON
名称:2306
链接:http://securityreason.com/securityalert/2306