SiteBar Command.PHP 跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1194318 漏洞类型 跨站脚本
发布时间 2006-06-27 更新时间 2007-10-24
CVE编号 CVE-2006-3320 CNNVD-ID CNNVD-200606-603
漏洞平台 N/A CVSS评分 2.6
|漏洞来源
https://www.securityfocus.com/bid/18680
https://cxsecurity.com/issue/WLB-2006070025
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200606-603
|漏洞详情
SiteBar3.3.8及更早版本的command.php中的跨站脚本攻击(XSS)漏洞。远程攻击者通过command参数注入任意Web脚本或HTML。
|漏洞EXP
Kurdish Security Advisory

irc.gigachat.net #kurdhack

Viva Kurdistan!

SiteBar Script Cross-Site Scripting Attack

Site : http://brablc.com/

Version : All Version

Proof of Concept :

http://www.site.com/sitebar/command.php?command=[CODES]

Original Advisory :

http://kurdishsecurity.blogspot.com/2006/06/kurdish-security-11-sitebar-
cross-site.html
|受影响的产品
SiteBar SiteBar 3.3.8 SiteBar SiteBar 3.3.7 SiteBar SiteBar 3.3.6 SiteBar SiteBar 3.3.5 SiteBar SiteBar 3.3.4 SiteBar SiteBar 3.3.3 SiteBar SiteBar 3.3.2
|参考资料

来源:XF
名称:sitebar-command-xss(27421)
链接:http://xforce.iss.net/xforce/xfdb/27421
来源:BID
名称:18680
链接:http://www.securityfocus.com/bid/18680
来源:BUGTRAQ
名称:20060627[KurdishSecurity#11]SiteBarCross-SiteScripting
链接:http://www.securityfocus.com/archive/1/archive/1/438464/100/0/threaded
来源:VUPEN
名称:ADV-2006-2568
链接:http://www.frsirt.com/english/advisories/2006/2568
来源:SECUNIA
名称:20841
链接:http://secunia.com/advisories/20841
来源:MISC
链接:http://kurdishsecurity.blogspot.com/2006/06/kurdish-security-11-sitebar-cross-site.html
来源:BID
名称:26126
链接:http://www.securityfocus.com/bid/26126
来源:BUGTRAQ
名称:20071018SeriousholesaffectingSiteBar3.3.8
链接:http://www.securityfocus.com/archive/1/archive/1/482499/100/0/threaded
来源:OSVDB
名称:26869
链接:http://www.osvdb.org/26869
来源:DEBIAN
名称:DSA-1130
链接:http://www.debian.org/security/2006/dsa-1130
来源:teamforge.net
链接:http://teamforge.net/viewcvs/viewcvs.cgi/tags/release-3.3.9/doc/history.txt?view=markup
来源:SREASON
名称:1174
链接:http://securityreason.com/securityalert/1174