发布时间 :2003-10-29 00:00:00
修订时间 :2008-09-05 16:36:16

[原文]chatbox.php in e107 0.554 and 0.603 allows remote attackers to cause a denial of service (pages fail to load) via HTML in the Name field, which prevents the main.php form from being loaded.

[CNNVD]E107 Chatbox.php服务拒绝漏洞(CNNVD-200310-086)

        e107 0.554和0.603版本中的chatbox.php存在漏洞。远程攻击者可以通过在名称字段中的HTML导致服务拒绝(网页无法加载),该漏洞可以防止main.php形式被下载。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(PATCH)  BID  8930
(VENDOR_ADVISORY)  XF  e107chatboxdos(13553)
(UNKNOWN)  BUGTRAQ  20031029 E107 DoS vulnerability

- 漏洞信息

E107 Chatbox.php服务拒绝漏洞
中危 输入验证
2003-10-29 00:00:00 2005-10-20 00:00:00
        e107 0.554和0.603版本中的chatbox.php存在漏洞。远程攻击者可以通过在名称字段中的HTML导致服务拒绝(网页无法加载),该漏洞可以防止main.php形式被下载。

- 公告与补丁

        The vendor has supplied a fix to address this issue: e107 website system 0.545
        e107 website system 0.603

- 漏洞信息 (23311)

E107 Chatbox.php Denial of Service Vulnerability (EDBID:23311)
php webapps
2003-10-29 Verified
0 Blademaster
N/A [点击下载]

It has been reported that E107 may be prone to a denial of service vulnerability. The issue has been reported to exist due to improper handling of user-supplied data in the form of HTML or script code to the 'Name:' field of Chatbox.php script. This issue may cause the software to behave in an unstable manner leading to a crash.

Successful exploitation of this issue may allow an attacker to cause the software to crash or hang.

It should be noted that although this vulnerability has been reported to affect E107 versions 0.545 and 0.603, other versions might also be affected. 

In the Name inputbox of the Chatbox type:

<script = javascript> alert('DoS') <script> 		

- 漏洞信息

e107 Chatbox.php Name Parameter DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

e107 contains a flaw that may allow a remote denial of service. The issue is triggered when invalid input is supplied in the "Name:" field of the Chatbox.php script, and will result in loss of availability for certain pages.

- 时间线

2003-10-29 2003-10-28
2003-10-28 Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Disable the "Chatbox.php" module.

- 相关参考

- 漏洞作者

Unknown or Incomplete