扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
##################################################################################### #Title: WB News (Webmobo) 2.3.3 Stored XSS# #Vendor:http://www.webmobo.org/ # ##################################################################################### #AUTHOR:ITSecTeam # #Email: Bug@ITSecTeam.com # #Website: http://www.itsecteam.com# #Forum :http://forum.ITSecTeam.com# #Original Advisory: www.ITSecTeam.com/en/vulnerabilities/vulnerability44.htm# #Thanks:r3dm0v3 [r3dm0v3_at_ymail.com], Pejvak, am!rkh@n# ##################################################################################### #DESCRIPTION (by vendor):############################################################ WB News is a PHP news management system which requires MySQL/PostgreSQL database. The system is meant for quick and easy build to integrate news into an existing site or used as a framework with many systems such as Authentication, Template Engine, Database Abstration and more. #BUG:################################################################################ file /base/Comments.php: 85: foreach ( $comments as $comment ) 86: { 87: $rows[] = array( 88: "message" => nl2br( textWrap( htmlspecialchars( filter( $comment["message"] ) ) ) ), 89: "name" => NULL != $comment["postname"] ? $comment["postname"] : $comment["name"], //<---vulnerable line 90: "date" => tz_date( Configuration::getInstance()->getOption("dateFormat"), $comment["timeposted"] ) 91: ); 92: } file /templates/default/list-comments.ihtml: 17: <td><strong><?php echo __("Posted By") ?>:</strong> <?php echo $r["name"] ?> On: <?php echo $r["date"] ?></td> Comment sender's name is not filtered and is sent to browser! #EXPLOIT:############################################################################ goto comments and post any script as comment sender's name! |
体验盒子
