关联漏洞
标题:
N/A
(CVE-2024-48589)
描述:Gilnei Moraes phpABook v.0.9 中存在跨站脚本漏洞,远程攻击者可以通过在 index.php 中的 rol 参数中插入恶意脚本代码来利用此漏洞执行任意代码。
介绍
# phpAbook 9.0i - Cross-Site Scripting (XSS) Vulnerability (CVE-2024-48589)
---
**Summary:**
A **Cross-Site Scripting (XSS)** vulnerability was discovered in the `rol` parameter of `index.php` or the path section in the phpAbook application. This vulnerability allows an attacker to inject arbitrary JavaScript code into a user's browser, potentially leading to:
- Disclosure of sensitive information, including session cookies
- Unauthorized actions within the application context
The issue arises due to improper validation and sanitization of user-supplied input.
---
**Impact:**
An attacker can craft a URL with a malicious script in the `rol` parameter or path section and trick a user into visiting the link or execute the link directly in the browser.
---
Proof of Concept (PoC):
Access the index.php page of the phpabook application.

Append an XSS payload to the index.php URL. For example:
```
/abc"><script>alert(document.domain)</script>
```

Another vulnerable parameter is rol, which can be found in the "Show All" tab.

Inject the XSS payload into the rol parameter. For example:
```
rol=abc"><script>alert(document.domain)</script>
```

文件快照
[4.0K] /data/pocs/421fb47318f7bd0baf8144e260708717cdb0eccf
├── [4.0K] attachments
│ ├── [231K] pic1.png
│ ├── [141K] pic2.png
│ ├── [238K] pic3.png
│ └── [144K] pic4.png
└── [1.2K] README.md
1 directory, 5 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。