CVE-2003-0375
CVSS4.3
发布时间 :2003-06-16 00:00:00
修订时间 :2016-10-17 22:33:07
NMCOES    

[原文]Cross-site scripting (XSS) vulnerability in member.php of XMBforum XMB 1.8.x (aka Partagium) allows remote attackers to insert arbitrary HTML and web script via the "member" parameter.


[CNNVD]XMB Forum Member.PHP跨站脚本攻击漏洞(CNNVD-200306-071)

        XMBforum XMB 1.8.x版本(也称为 Partagium)中member.php存在跨站脚本攻击(XSS)漏洞。远程攻击者借助"member"参数插入任意HTML及web脚本。

- CVSS (基础分值)

CVSS分值: 4.3 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:xmb_forum:xmb:1.6
cpe:/a:xmb_forum:xmb:1.11
cpe:/a:xmb_forum:xmb:1.8

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0375
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0375
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200306-071
(官方数据源) CNNVD

- 其它链接及资源

http://forums.xmbforum.com/viewthread.php?tid=773046
(UNKNOWN)  MISC  http://forums.xmbforum.com/viewthread.php?tid=773046
http://marc.info/?l=bugtraq&m=105363936402228&w=2
(UNKNOWN)  BUGTRAQ  20030522 XMB 1.8 Partagium cross site scripting vulnerability
http://www.securityfocus.com/bid/7662
(UNKNOWN)  BID  7662

- 漏洞信息

XMB Forum Member.PHP跨站脚本攻击漏洞
中危 跨站脚本
2003-06-16 00:00:00 2005-10-20 00:00:00
远程  
        XMBforum XMB 1.8.x版本(也称为 Partagium)中member.php存在跨站脚本攻击(XSS)漏洞。远程攻击者借助"member"参数插入任意HTML及web脚本。

- 公告与补丁

        The vendor has released an update. Contact the vendor for more information.

- 漏洞信息 (22632)

XMB Forum 1.8 Member.PHP Cross-Site Scripting Vulnerability (EDBID:22632)
php webapps
2003-06-22 Verified
0 Marc Ruef
N/A [点击下载]
source: http://www.securityfocus.com/bid/7662/info

XMB Forum has been reported prone to a cross-site scripting vulnerability.

XMB Forum fails to adequately filter script code from URL parameters, making it prone to cross-site scripting attacks. Attacker-supplied script code may be included in a malicious link to a specific XMB Forum script.

This may enable a remote attacker to steal cookie-based authentication credentials from legitimate users of a host running XMB Forum.

Note that although this vulnerability has been reported to affect XMB Forum 1.8, previous versions might also be affected. 

http://www.example.com/forum/member.php?action=viewpro&member=%3Cdiv%3E%3Cfont%20color=%22red%22%3EMarc%3C/font%3E%3Cscript%3Ealert(%22Ruef%22);%3C/script%3E%3C/div%3E


		

- 漏洞信息 (22820)

XMB Forum 1.8 member.php member Parameter XSS (EDBID:22820)
php webapps
2003-06-23 Verified
0 Knight Commander
N/A [点击下载]
source: http://www.securityfocus.com/bid/8013/info

XMB Forum has been reported prone to multiple cross-site scripting and HTML-injection vulnerabilities because the application fails to sanitize user-supplied data. 

An attacker may exploit any one of these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user.

http://www.example.com/XMBforum/member.phpaction=viewpro&member=admin<script>alert('XSS')</script>		

- 漏洞信息

2191
XMB Forum member.php member Parameter XSS
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public

- 漏洞描述

XMB Forum contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'member' variable upon submission to the 'member.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

- 时间线

2003-06-22 Unknow
2003-06-22 Unknow

- 解决方案

Upgrade to version 1.8 Partagium Final SP1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

XMB Forum Member.PHP Cross-Site Scripting Vulnerability
Input Validation Error 7662
Yes No
2003-05-22 12:00:00 2008-09-11 07:41:00
Discovery of this vulnerability has been credited to Marc Ruef <marc.ruef@computec.ch>.

- 受影响的程序版本

XMB Forum 1.8 SP1
XMB Forum 1.8
XMB Forum 1.9.8

- 不受影响的程序版本

XMB Forum 1.9.8

- 漏洞讨论

XMB Forum has been reported prone to a cross-site scripting vulnerability.

XMB Forum fails to adequately filter script code from URL parameters, making it prone to cross-site scripting attacks. Attacker-supplied script code may be included in a malicious link to a specific XMB Forum script.

This may enable a remote attacker to steal cookie-based authentication credentials from legitimate users of a host running XMB Forum.

Note that although this vulnerability has been reported to affect XMB Forum 1.8, previous versions might also be affected.

- 漏洞利用

The following proof of concept has been provided by Marc Ruef &lt;marc.ruef@computec.ch&gt;:

http://www.example.com/forum/member.php?action=viewpro&amp;member=%3Cdiv%3E%3Cfont%20color=%22red%22%3EMarc%3C/font%3E%3Cscript%3Ealert(%22Ruef%22);%3C/script%3E%3C/div%3E

- 解决方案

The vendor has released an update. Contact the vendor for more information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站