MyBB'global.php'跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1193544 漏洞类型 跨站脚本
发布时间 2006-09-12 更新时间 2006-09-12
CVE编号 CVE-2006-4707 CNNVD-ID CNNVD-200609-180
漏洞平台 N/A CVSS评分 6.8
|漏洞来源
https://www.securityfocus.com/bid/83653
https://cxsecurity.com/issue/WLB-2006090068
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200609-180
|漏洞详情
MyBB(也称为MyBulletinBoard)1.1.7的admin/global.php(也称为"管理CP登录表单")中的跨站脚本攻击(XSS)漏洞,远程攻击者通过查询字符串($_SERVER[PHP_SELF])注入任意Web脚本或HTML。
|漏洞EXP
ORIGINAL ADVISORY:

http://myimei.com/security/2006-08-17/mybb-117-adminglobalphp-xss-attack
.html

http://kapda.ir/page-advisory.html

**************

??????-Summary?????-

Software: MyBB

Sowtware?s Web Site: http://www.mybboard.com

Versions: 1.1.7

Class: Remote

Status: Unpatched

Exploit: Available

Solution: Available

Discovered by: imei addmimistrator

Risk Level: Medium

??????Description?????

There is some security bug in MyBB 1.1.7 software (latest version fully patched) file admin/global.php that allows attacker performe an XSS attack.

FOR MORE DETAIL VISIT ORIGINAL ADVISORY
|受影响的产品
MyBulletinBoard MyBulletinBoard 1.1.7
|参考资料

来源:www.mybboard.com
链接:http://www.mybboard.com/archive.php?nid=18
来源:VUPEN
名称:ADV-2006-3418
链接:http://www.frsirt.com/english/advisories/2006/3418
来源:BUGTRAQ
名称:20060830[KAPDA]MyBB1.1.7~admin/global.php~XSSAttack
链接:http://www.securityfocus.com/archive/1/archive/1/444782/100/100/threaded
来源:MISC
链接:http://myimei.com/security/2006-08-17/mybb-117-adminglobalphp-xss-attack.html
来源:SREASON
名称:1540
链接:http://securityreason.com/securityalert/1540
来源:SECUNIA
名称:21697
链接:http://secunia.com/advisories/21697