DSChat 聊天框 跨站脚本攻击(XSS)漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1194870 漏洞类型 跨站脚本
发布时间 2006-05-25 更新时间 2006-05-26
CVE编号 CVE-2006-2605 CNNVD-ID CNNVD-200605-471
漏洞平台 N/A CVSS评分 4.3
|漏洞来源
https://cxsecurity.com/issue/WLB-2006050152
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200605-471
|漏洞详情
DSChat1.0及之前版本存在跨站脚本攻击(XSS)漏洞。远程攻击者可以借助聊天框注入任意Web脚本或HTML,可能涉及对send.php的ctext参数。
|漏洞EXP
DSChat <= 1.0 XSS

Discovered by: Nomenumbra

Date: 21/5/2006

impact:moderate (possible defacement)

DSChat is a PHP-based chatscript which does no filtering

against XSS whatsoever, thus allowing anyone to insert

html or javascript in the chatbox.

Nomenumbra
|参考资料

来源:BID
名称:18084
链接:http://www.securityfocus.com/bid/18084
来源:BUGTRAQ
名称:20060522DSChat<=1.0XSS
链接:http://www.securityfocus.com/archive/1/archive/1/434821/100/0/threaded
来源:VUPEN
名称:ADV-2006-1961
链接:http://www.frsirt.com/english/advisories/2006/1961
来源:SECUNIA
名称:20258
链接:http://secunia.com/advisories/20258
来源:XF
名称:dschat-send-xss(26641)
链接:http://xforce.iss.net/xforce/xfdb/26641
来源:OSVDB
名称:25734
链接:http://www.osvdb.org/25734
来源:SECTRACK
名称:1016148
链接:http://securitytracker.com/id?1016148
来源:SREASON
名称:958
链接:http://securityreason.com/securityalert/958