财米配资网
财米配资网是一家专业从事股票开户,炒股开户,能为用户提供上海股票开户平台,个股操盘公司,炒股合法网站,期货交易论坛,个股交易世界,为投资者提供股市资讯新闻,是您身边的好伙伴。

体内股指输血聊聊appRain CMF v0.1.5 多个web缺陷及修复

欢迎大家来到财米配资网,下面财米配资给大家介绍下体内股指输血聊聊appRain CMF v0.1.5 多个web缺陷及修复的相关内容资讯!

  简述:

  =============

  appRain is one of the first officially released Opensource Content Management Framework (CMF).

  CMF is a new web engineering concept where CMS (Content Management System) and Framework

  perform together to produce endless varieties of output in a very limited time.

  appRain, published with lots of extensive features to reduce our development work time.

  It satisfies both Client and Developers with a safe and quality output.

  (Copy of the Vendor Homepage: https://www.apprain.com/)

  表明

  =========

  Vulnerability-Lab Team discovered multiple web vulnerabilities on the new appRain CMF v0.1.5

  情况:

  ========

  Published

  危害版本号:

  ==================

  appRain CMF v0.1.5

  Exploitation-Technique:

  =======================

  Remote

  技术指标分析:

  ========

  Multiple web vulnerabilities are detected on the new appRain CMF v0.1.5.

  1.1

  A SQL Injection vulnerability is detected on the appRain CMF v0.1.5. The bug allows an remote attacker to inject/execute own sql

  statements over the vulnerable param request. Successful exploitation of the bug can lead to dbms & cms compromise.

  Vulnerable Module(s):

  [ ] Forum (SQL Injection)

  1.2

  A non-persistent cross site scripting vulnerability is detected on appRain CMF v0.1.5. The vulnerability allows remote

  attackers to hijack skype customer sessions via cross site scripting. Successful exploitation of the client-side vulnerability

  can result in session hijacking & account steal (user/customer/moderator/administrator).

  Vulnerable Module(s):

  [ ] Search (Cross Site Scripting)

  Proof of Concept:

  =================

  The vulnerabilities can be exploited by remote attackers. For example or reproduce ...

  1.1

  https://www.2cto.com /quickstart/profile/-1 union all select 1,2,3,@@version,@@datadir,6,7,8,9,10,11,12,13,14,15,16,17,18,19--

  1.2

  https://www.2cto.com /quickstart/search

  POST: Inject anything script related into ss

  <form method="post" action="https://www.xxx.com/quickstart/search">

  <input type="text" name="ss" class="src-box" value="" />

  <input type="submit" class="src-btn" value="Search" />

  </form>

  Solution:

  =========

  1.1

  Use the prepared statement class to fix the sql injection vulnerability & filter sql error requests.

  Set error(0) to prevent against information disclosure via exceptions or error reports.

  1.2

  Parse the input fields and restrict characters like () > < \\ / etc to prevent against script inclusion.

  Parse also the vulnerable output sections were the script code is getting executed out of the module context.

  Risk:

  =====

  The security risk of the SQL injection is estimated as critical.

  The security risk of the non-persistent cross site vulnerability is estimated as low( ) because of high required user inter action.

  Copyright � 2011|Vulnerability-Lab

  您炒股票,我掏钱,配资等着你。雷电取现,十分钟到账。

  1、按天配资,资产秒到,100元起配,一个股票涨停,本钱翻番。

  2、按月配资,股票短线项目投资,1000元起配,10倍杆杠,10倍盈利。

  3、申请注册有礼,马上送5000元股票操盘金,再送3888元服务费。

  4、多种褔利,热烈欢迎浏览配资官方网站掌握!(网页搜索:贵丰配资)

本文连接地址:http://www.ybnxx.com/qhpz/6623.html

最后编辑于: 2020-11-15作者:财米配资君

财米配资网是一家提供上海股票配资平台,个股操盘公司,炒股合法网站,期货交易论坛,个股交易世界,为投资者提供股市资讯新闻,是您身边的股票配资门户网站

上一篇:长江证券地址杭州探讨山西潞城复活正月初十老鼠嫁女年俗
下一篇:证券ETF的组合谈谈全黑队?金球奖颁奖典礼所有明星穿黑色出席到底为啥?
说点什么吧
  • 全部评论(0
    还没有评论,快来抢沙发吧!