CVE-2006-3062
CVSS2.6
发布时间 :2006-06-19 06:02:00
修订时间 :2011-03-07 21:37:33
NMCOP    

[原文]Cross-site scripting (XSS) vulnerability in index.php in myPHP Guestbook 2.0.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the lang parameter.


[CNNVD]myPHP Guestbook index.php 跨站脚本攻击(XSS)漏洞(CNNVD-200606-371)

        myPHP Guestbook 2.0.4及更早版本中的index.php存在跨站脚本攻击(XSS)漏洞,远程攻击者可以通过lang参数注入任意Web脚本或HTML。

- CVSS (基础分值)

CVSS分值: 2.6 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3062
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3062
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-371
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2006/2308
(UNKNOWN)  VUPEN  ADV-2006-2308
http://www.securityfocus.com/archive/1/archive/1/436842/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060609 myPHP Guestbook 2.0.2 XSS Vulnerabilitie
http://secunia.com/advisories/20572
(VENDOR_ADVISORY)  SECUNIA  20572
http://xforce.iss.net/xforce/xfdb/27074
(UNKNOWN)  XF  myphpguestbook-index-xss(27074)
http://securityreason.com/securityalert/1110
(UNKNOWN)  SREASON  1110

- 漏洞信息

myPHP Guestbook index.php 跨站脚本攻击(XSS)漏洞
低危 跨站脚本
2006-06-19 00:00:00 2006-06-19 00:00:00
远程  
        myPHP Guestbook 2.0.4及更早版本中的index.php存在跨站脚本攻击(XSS)漏洞,远程攻击者可以通过lang参数注入任意Web脚本或HTML。

- 公告与补丁

        

- 漏洞信息 (F47786)

OpenPKG-SA-2006-010.txt (PacketStormID:F47786)
2006-06-27 00:00:00
 
advisory
CVE-2006-3062
[点击下载]

OpenPKG Security Advisory OpenPKG-SA-2006.010 - According to a vendor security release note, a memory allocation attack possibility exists in the GnuPG cryptography tool, versions 1.4.3 and earlier.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory                            The OpenPKG Project
http://www.openpkg.org/security/                  http://www.openpkg.org
openpkg-security@openpkg.org                         openpkg@openpkg.org
OpenPKG-SA-2006.010                                          26-Jun-2006
________________________________________________________________________

Package:             gnupg
Vulnerability:       denial of service
OpenPKG Specific:    no

Affected Releases:   Affected Packages:        Corrected Packages:
OpenPKG CURRENT      <= gnupg-1.4.3-20060403   >= gnupg-1.4.4-20060625
OpenPKG 2.20060622   <= gnupg-1.4.4-2.20060622 >= gnupg-1.4.4-2.20060622
OpenPKG 2.5          <= gnupg-1.4.2-2.5.1      >= gnupg-1.4.2-2.5.2

Description:
  According to a vendor security release note [0], a memory allocation
  attack possibility exists in the GnuPG [1] cryptography tool, version
  1.4.3 and earlier. The problem allows remote attackers to cause a
  Denial of Service (DoS) (GnuPG crashes) and possibly overwrite memory
  via a message packet with a large length, which could lead to an
  integer overflow, as demonstrated using the "--no-armor" option. The
  Common Vulnerabilities and Exposures (CVE) project assigned the id
  CVE-2006-3082 [2] to the problem.
________________________________________________________________________

References:
  [0] http://lists.gnupg.org/pipermail/gnupg-announce/2006q2/000226.html 
  [1] http://www.gnupg.org/
  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3082
________________________________________________________________________

For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org
for details on how to verify the integrity of this advisory.
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@openpkg.org>

iD8DBQFEn3w1gHWT4GPEy58RAvHNAJ9ic2qU5anYD320UzejXFkfnNGEQgCfVdx+
qSDOaeFyJKJ3Lo2n6MsiR38=
=8KLS
-----END PGP SIGNATURE-----
    

- 漏洞信息

26422
myPHP Guestbook index.php lang Parameter XSS
Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-06-09 Unknow
2006-06-09 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站