发布时间 :2002-12-31 00:00:00
修订时间 :2008-09-05 16:32:42

[原文]Cross-site scripting (XSS) vulnerability in VisNetic Website before 3.5.15 allows remote attackers to inject arbitrary web script or HTML via the HTTP referer header (HTTP_REFERER) to a non-existent page, which is injected into the resulting 404 error page.

[CNNVD]Deerfield VisNetic WebSite跨站脚本攻击漏洞(CNNVD-200212-852)

        VisNetic Website 3.5.15之前版本存在跨站脚本攻击(XSS)漏洞。远程攻击者借助指向不存在页面的HTTP引用头注入任意web脚本或HTML。该漏洞导致注入404错误页面。

- CVSS (基础分值)

CVSS分值: 4.3 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-79 [在Web页面生成时对输入的转义处理不恰当(跨站脚本)]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(PATCH)  BID  6369
(UNKNOWN)  XF  visnetic-website-referer-xss(10852)
(UNKNOWN)  BUGTRAQ  20021212 VisNetic WebSite XSS vulnerability through HTTP referer header

- 漏洞信息

Deerfield VisNetic WebSite跨站脚本攻击漏洞
中危 跨站脚本
2002-12-31 00:00:00 2002-12-31 00:00:00
        VisNetic Website 3.5.15之前版本存在跨站脚本攻击(XSS)漏洞。远程攻击者借助指向不存在页面的HTTP引用头注入任意web脚本或HTML。该漏洞导致注入404错误页面。

- 公告与补丁

        This issue has been addressed in the latest version of VisNetic Website. Users are advised to upgrade as soon as possible.
        Deerfield VisNetic Website 3.5.13 .1

- 漏洞信息 (22083)

Deerfield VisNetic WebSite 3.5.13 .1 Cross Site Scripting Vulnerability (EDBID:22083)
php webapps
2002-12-12 Verified
0 Ory Segal
N/A [点击下载]

A vulnerability has been discovered in VisNetic Website when generating a 404 page for a non-existent resources. The issue is due to insufficient sanitization of the HTTP 'referer' header. It is possible to cause arbitrary code to be executed within the context of the visited 404 page by embedding script code into the HTTP 'referer' header.

An attacker could exploit this issue to steal cookie-based authentication credentials which could be used to hijack a legitimate users session.

It should be noted that this vulnerability was discovered in VisNetic WebSite It is not yet known whether this issue also affects earlier versions.

GET /NonExistentPage.html HTTP/1.0
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Referer: "></a><script>alert('Cross Site Scripting')</script>		

- 漏洞信息

VisNetic WebSite 404 Error Page HTTP_REFERER Header XSS
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

- 时间线

2002-12-12 Unknow
2002-12-12 Unknow

- 解决方案

Upgrade to version 3.5.15 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete