`

Zend studio location Cross-Domain Scripting Vulnerability

    博客分类:
  • php
阅读更多

Author: www.80vul.com [Email: saiy1986@gmail.com]
Release Date: 2010/7/10
References: http://80vul.com/Zend%20studio/Zend%20studio%20location%20Cross.htm

 

Zend Studio is a commercial, proprietary integrated development environment (IDE) for PHP developed by Zend Technologies, based on the PHP Development Tools (PDT) plugin for the Eclipse platform (the PDT project is led by Zend).

We found a security bug of it in Zend studio [version >6.0], the description of a function of php script does'nt be escaped or htmlencode, so it lead to can be exploited to execute arbitrary HTML and script code what the attacker inject evil codz on function’s description.

 

And this vul is a “Cross-Zone Scripting” vul, so Successful exploitation allows execution of arbitrary code in user’s system.

 

DEMO:

 

<?php

 

/**

* <script>new ActiveXObject("WScript.shell").Run('calc.exe',1,true);</script>");

*/

function a() {

}

 

Then Open the function a()’s description [type a word "a" or move your mouse on it] ,the calc.exe well be run.

Disclosure Timeline:

2010/07/08 - Found this Vulnerability
2010/07/10 - Public Disclosure

 

 

 

分享到:
评论
发表评论

文章已被作者锁定,不允许评论。

相关推荐

    Cross-site Scripting

    **跨站脚本攻击(Cross-Site Scripting, XSS):威胁、机制与防范** 在当今高度数字化的社会中,网络安全已成为不可忽视的关键议题。其中,跨站脚本攻击(Cross-Site Scripting, XSS)是一种常见的网络攻击方式,对...

    Complete Cross-site Scripting Walkthrough

    跨站脚本攻击(Cross-Site Scripting,简称XSS)是一种常见的网络安全漏洞,主要出现在Web应用程序中。这类攻击通常利用Web应用对用户输入数据处理不当的情况,允许攻击者将恶意脚本注入到网页中,当其他用户访问...

    uNode - Visual Scripting - 2.3.unitypackage

    uNode - Visual Scripting - 2.3.unitypackage uNode - Visual Scripting - 2.3.unitypackage uNode - Visual Scripting - 2.3.unitypackage

    cross_site_scripting.pdf

    ### 跨站脚本攻击(Cross-Site Scripting, XSS)概述 跨站脚本攻击(Cross-Site Scripting, 简称XSS),是一种常见的网络安全漏洞,它允许攻击者将恶意脚本注入到看似无害的数据中,然后通过受害者的浏览器执行这些...

    **XSS** 即跨站脚本攻击(Cross-Site Scripting),是一种常见的 Web 应用程序安全漏洞

    xss

    kotlin-scripting-compiler-impl.jar

    kotlin-scripting-compiler-impl.jar

    JavaScript Security(PACKT,2014)

    You will then focus on one of the most common JavaScript security attacks, cross-site scripting, and how to prevent cross-site scripting and cross-site forgery. Last but not least, the book covers ...

    144286934.pdf

    There are several work is going on in the direction of securing Cross-Site Scripting Vulnerability. The work is also going on to finding the possible threats in the direction of attack detection. ...

    ug894-vivado-tcl-scripting.pdf

    《Vivado Design Suite User Guide: Using Tcl Scripting UG894》是一份详细指导文档,旨在帮助用户掌握如何在Vivado中有效地利用Tcl进行脚本编写。该文档的2022.2版本发布于2022年10月19日,提供了关于Tcl在Vivado...

    xss跨站点脚本编制漏洞/antisamy策略过滤

    XSS跨站点脚本注入攻击过滤器,包括antisamy官方提供的各种策略xml文件。 antisamy-slashdot.xml 策略 antisamy-ebay.xml 策略 antisamy-myspace.xml 策略 antisamy-anythinggoes.xml 策略

    HFSS-MATLAB-SCRIPTING-API

    the HFSS Scripting Interface. This tool provides a set of MATLAB functions to create 3D objects in HFSS by generating the required HFSS Scripts. Basically, anything that can be done in HFSS user ...

    WebCruiser - Web Vulnerability Scanner(Web漏洞扫描器)

    It has a Crawler and Vulnerability Scanner (SQL Injection, Cross Site Scripting). It can support not only scanning website, but also POC (Proof of concept) for web vulnerabilities: SQL Injection and ...

    photoshop-cc-scripting-guide-2015.pdf

    文档中的"Photoshop Scripting Basics"部分,首先对脚本编程进行了概述,解释了为什么以及如何使用脚本来自动化工作流程。这里会涵盖脚本的基本结构、语法,以及如何启动和运行脚本。脚本通常可以作为独立的文本文件...

    struts-scripting-1.0.1

    Struts Scripting 1.0.1 是一个用于Apache Struts框架的扩展,它允许开发者在Struts应用程序中集成各种脚本语言,如JavaScript、Groovy、BeanShell等。这个版本发布于较早的时期,旨在提升开发效率,提供更灵活的...

    Sigrity-TCL Scripting Reference.rar

    Sigrity-TCL Scripting Reference.rar Cadence Sigrity支持工具命令语言(TCL),这是一种常见的EDA脚本语言。 Sigrity为许多GUI操作提供了TCL支持,包括网络、组件、形状等操作。 Cadence Sigrity可以加密TCL脚本以...

    Microsoft - Windows Scripting With Wmi(2007)

    《Microsoft - Windows Scripting With Wmi(2007)》是关于Windows Management Instrumentation(WMI)技术的一本PDF教程,旨在帮助IT专业人士深入理解和掌握利用WMI进行Windows脚本编程的技术。WMI是微软提供的一种...

    Cross Frame 与不同域进行交互

    标题中的“Cross Frame 与不同域进行交互”指的是在Web开发中处理跨域问题的一种技术。在HTML中,由于浏览器的同源策略(Same-origin policy),JavaScript通常不能直接访问或操作不同源(协议、域名、端口)的页面...

Global site tag (gtag.js) - Google Analytics