QLnews多个跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1195540 漏洞类型 跨站脚本
发布时间 2006-04-02 更新时间 2006-04-03
CVE编号 CVE-2006-1575 CNNVD-ID CNNVD-200604-004
漏洞平台 N/A CVSS评分 6.8
|漏洞来源
https://cxsecurity.com/issue/WLB-2006040032
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200604-004
|漏洞详情
QLnews1.2.的news.php中存在多个跨站脚本攻击(XSS)漏洞,可让远程攻击者通过(1)i和(2)text参数注入任意Web脚本或HTML。
|漏洞EXP
New eVuln Advisory:
QLnews XSS and PHP Code Insertion Vulnerabilities
http://evuln.com/vulns/113/summary.html

--------------------Summary----------------
eVuln ID: EV0113
CVE: CVE-2006-1575 CVE-2006-1576
Software: QLnews
Sowtware's Web Site: http://www.vscripts.pl/
Versions: 1.2
Critical Level: Dangerous
Type: Multiple Vulnerabilities
Class: Remote
Status: Unpatched. No reply from developer(s)
PoC/Exploit: Available
Solution: Not Available
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)

-----------------Description---------------
1. Cross-Site Scripting.

Vulnerable Script: news.php

Parameters autorx, newsx are not properly sanitized. This can be used to post arbitrary HTML or web script code.

2. PHP Code Insertion.

Administrator has an ability to edit variable values in config.php file. This can be used to insert arbitrary PHP code into config file which executes by every php-script.

System access is possible.

Condition: magic_quotes_gpc = off

--------------PoC/Exploit----------------------
Available at: http://evuln.com/vulns/113/exploit.html

--------------Solution---------------------
No Patch available.

--------------Credit-----------------------
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)

Regards,
Aliaksandr Hartsuyeu
http://evuln.com - Penetration Testing Services
.
|参考资料

来源:BID
名称:17335
链接:http://www.securityfocus.com/bid/17335
来源:SECUNIA
名称:19479
链接:http://secunia.com/advisories/19479
来源:MISC
链接:http://evuln.com/vulns/113/description.html
来源:XF
名称:qlnews-news-xss(25546)
链接:http://xforce.iss.net/xforce/xfdb/25546
来源:BUGTRAQ
名称:20060412[eVuln]QLnewsXSSandPHPCodeInsertionVulnerabilities
链接:http://www.securityfocus.com/archive/1/archive/1/430741/100/0/threaded
来源:OSVDB
名称:24290
链接:http://www.osvdb.org/24290
来源:SREASON
名称:699
链接:http://securityreason.com/securityalert/699