ZMS 跨站脚本攻击(XSS)漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1194569 漏洞类型 跨站脚本
发布时间 2006-06-12 更新时间 2006-06-12
CVE编号 CVE-2006-2997 CNNVD-ID CNNVD-200606-270
漏洞平台 N/A CVSS评分 2.6
|漏洞来源
https://www.securityfocus.com/bid/83825
https://cxsecurity.com/issue/WLB-2006060098
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200606-270
|漏洞详情
ZMS2.9及更早版本存在跨站脚本攻击(XSS)漏洞,当启用register_globals时,远程攻击者可通过在搜索字段内的raw参数来注入任意Web脚本或HTML。
|漏洞EXP
[MajorSecurity #12]ZMS<= 2.9 - XSS

------------------------------------------

Software: ZMS

Version: <=2.9

Type: Cross site scripting

Date: June, 10th 2006

Vendor: Hoffmann+Liebenberg GmbH, SNTL Publishing GmbH & CO KG

Page: http://www.zms-publishing.com

Credits:

----------------------------

Discovered by: David "Aesthetico" Vieira-Kurz

http://www.majorsecurity.de

Original Advisory:

----------------------------

http://www.majorsecurity.de/advisory/major_rls12.txt

Affected Products:

----------------------------

ZMS 2.9 and prior

Description:

----------------------------

ZMS is a ZOPE-based content management system for science, technology and medicine.

Requirements:

----------------------------

register_globals = On

Vulnerability:

----------------------------

Input passed to the searchform input fields is not properly sanitised before being returned to the user.

This can be exploited to execute arbitrary HTML and script code in context of an affected site.

Solution:

----------------------------

Edit the source code to ensure that input is properly sanitised.

You should work with "htmlspecialchars()" or "strip_tags()" php-function to ensure that html tags

are not going to be executed.

Example:

<?php

echo htmlspecialchars("<script");

?>

Set "register_globals" to "Off".

Exploitation:

---------------------------

Goto the searchform input fields and type in following line as searchword:

<script>alert("MajorSecurity")</script>
|受影响的产品
Zms Publishing Zms 2.9.2
|参考资料

来源:BUGTRAQ
名称:20060610[MajorSecurity#12]ZMS<=2.9-XSS
链接:http://www.securityfocus.com/archive/1/archive/1/436703/100/0/threaded
来源:MISC
链接:http://www.majorsecurity.de/advisory/major_rls12.txt
来源:VUPEN
名称:ADV-2006-2279
链接:http://www.frsirt.com/english/advisories/2006/2279
来源:SECTRACK
名称:1016275
链接:http://securitytracker.com/id?1016275
来源:SECUNIA
名称:20585
链接:http://secunia.com/advisories/20585
来源:XF
名称:zms-searchform-xss(27055)
链接:http://xforce.iss.net/xforce/xfdb/27055
来源:SREASON
名称:1093
链接:http://securityreason.com/securityalert/1093