CVE-2002-1036
CVSS7.5
发布时间 :2002-10-04 00:00:00
修订时间 :2008-09-05 16:29:36
NMCOES    

[原文]Cross-site scripting vulnerability in search.pl for Fluid Dynamics Search Engine (FDSE) before 2.0.0.0055 allows remote attackers to execute web script via the (1) Rank or (2) Match parameters.


[CNNVD]Fluid Dynamics Search Engine跨站脚本漏洞(CNNVD-200210-158)

        Fluid Dynamics Search Engine (FDSE) 2.0.0.0055之前版本的search.pl存在跨站脚本漏洞。远程攻击者借助(1)Rank或者(2)Match参数执行web脚本。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:zoltan_milosevic:fluid_dynamics_search_engine:2.0.0.0054
cpe:/a:zoltan_milosevic:fluid_dynamics_search_engine:2.0.0.0052
cpe:/a:zoltan_milosevic:fluid_dynamics_search_engine:2.0.0.0051
cpe:/a:zoltan_milosevic:fluid_dynamics_search_engine:2.0.0.0050
cpe:/a:zoltan_milosevic:fluid_dynamics_search_engine:2.0.0.0053

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1036
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1036
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200210-158
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/5199
(VENDOR_ADVISORY)  BID  5199
http://www.iss.net/security_center/static/9533.php
(VENDOR_ADVISORY)  XF  fd-search-xss(9533)
http://www.xav.com/scripts/search/changes.htm#4
(UNKNOWN)  CONFIRM  http://www.xav.com/scripts/search/changes.htm#4
http://archives.neohapsis.com/archives/bugtraq/2002-07/0096.html
(UNKNOWN)  BUGTRAQ  20020710 XSS Hole in Fluid Dynamics search Engine
http://archives.neohapsis.com/archives/bugtraq/2002-07/0094.html
(UNKNOWN)  BUGTRAQ  20020710 RE: XSS Hole in Fluid Dynamics Search engine

- 漏洞信息

Fluid Dynamics Search Engine跨站脚本漏洞
高危 跨站脚本
2002-10-04 00:00:00 2005-10-20 00:00:00
远程  
        Fluid Dynamics Search Engine (FDSE) 2.0.0.0055之前版本的search.pl存在跨站脚本漏洞。远程攻击者借助(1)Rank或者(2)Match参数执行web脚本。

- 公告与补丁

        Zoltan Milosevic has addressed this issue in Fluid Dynamics Search Engine version 2.0.0.0055:
        Zoltan Milosevic Fluid Dynamics Search Engine 2.0 .0054
        
        Zoltan Milosevic Fluid Dynamics Search Engine 2.0 .0052
        
        Zoltan Milosevic Fluid Dynamics Search Engine 2.0 .0050
        
        Zoltan Milosevic Fluid Dynamics Search Engine 2.0 .0053
        
        Zoltan Milosevic Fluid Dynamics Search Engine 2.0 .0051
        

- 漏洞信息 (21609)

Fluid Dynamics Search Engine 2.0 Cross Site Scripting Vulnerability (EDBID:21609)
cgi webapps
2002-07-10 Verified
0 VALDEUX
N/A [点击下载]
source: http://www.securityfocus.com/bid/5199/info

Fluid Dynamics Search Engine is a search application for local and remote web sites, and is designed to work in most UNIX and Microsoft Windows environments. Fluid Dynamics Search Engine and is maintained by Zoltan Milosevic.

It is possible for attackers to construct a URL that will cause scripting code to be embedded in a search results page. As a result, when an innocent user follows such a link, the script code will execute within the context of the hosted site.

http://www.xav.com/search.pl?Realm=All&Match=0&Terms=test&nocpp=1&maxhits=10&Rank=<br><h1>XSS</h1> 		

- 漏洞信息

9230
Fluid Dynamics Search Engine search.pl Multiple Parameter XSS
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Vendor Verified

- 漏洞描述

- 时间线

2002-07-10 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 2.0.0.0055 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Fluid Dynamics Search Engine Cross Site Scripting Vulnerability
Input Validation Error 5199
Yes No
2002-07-10 12:00:00 2009-07-11 02:56:00
Discovered by VALDEUX@aol.com.

- 受影响的程序版本

Zoltan Milosevic Fluid Dynamics Search Engine 2.0 .0054
Zoltan Milosevic Fluid Dynamics Search Engine 2.0 .0053
Zoltan Milosevic Fluid Dynamics Search Engine 2.0 .0052
Zoltan Milosevic Fluid Dynamics Search Engine 2.0 .0051
Zoltan Milosevic Fluid Dynamics Search Engine 2.0 .0050
Zoltan Milosevic Fluid Dynamics Search Engine 2.0 .0055

- 不受影响的程序版本

Zoltan Milosevic Fluid Dynamics Search Engine 2.0 .0055

- 漏洞讨论

Fluid Dynamics Search Engine is a search application for local and remote web sites, and is designed to work in most UNIX and Microsoft Windows environments. Fluid Dynamics Search Engine and is maintained by Zoltan Milosevic.

It is possible for attackers to construct a URL that will cause scripting code to be embedded in a search results page. As a result, when an innocent user follows such a link, the script code will execute within the context of the hosted site.

Versions prior to 2.0.0.0055 are affected by this issue.

- 漏洞利用

A proof of concept example has been provided by valdeux &lt;valdeux@aol.com&gt;:

http://www.xav.com/search.pl?Realm=All&amp;Match=0&amp;Terms=test&amp;nocpp=1&amp;maxhits=10&amp;Rank=&lt;br&gt;&lt;h1&gt;XSS&lt;/h1&gt;

- 解决方案

Zoltan Milosevic has addressed this issue in Fluid Dynamics Search Engine version 2.0.0.0055:


Zoltan Milosevic Fluid Dynamics Search Engine 2.0 .0054

Zoltan Milosevic Fluid Dynamics Search Engine 2.0 .0052

Zoltan Milosevic Fluid Dynamics Search Engine 2.0 .0050

Zoltan Milosevic Fluid Dynamics Search Engine 2.0 .0053

Zoltan Milosevic Fluid Dynamics Search Engine 2.0 .0051

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站