搜索
查看: 2006|回复: 4

【转帖】PsychoStats 2.2.4 Beta和Earlier跨站脚本攻击漏洞

[复制链接]
发表于 2005-7-3 17:38:33 | 显示全部楼层 |阅读模式 来自 中国–吉林–长春
大家要小心哦

信息来源:bugtraq@securityfocus.com

##########################################################
# GulfTech Security Research December 22nd, 2004
##########################################################
# Vendor : Jason Morriss
# URL : http://www.psychostats.com/
# Version : PsychoStats 2.2.4 Beta && Earlier
# Risk : Cross Site Scripting
##########################################################

Description:
PsychoStats is a statistics generator for games. Currently there is support
for a handful of Half-Life "MODs" including Counter-Strike, Day of Defeat,
and Natural Selection. PsychoStats gathers statistics from the log files
that
game servers create by reading through the logs and then calculating
detailed
statistics for players, maps, weapons and clans. These detailed statistics
are stored in a MySQL database which are then viewed online from your
website
using a set of PHP web pages.

Cross Site Scripting:
Cross site scripting exists in Jason Morriss PsychoStats. This vulnerability

exists due to user supplied input not being checked properly. Below is an
example.

http://www.example.com/stats/login.php?login=[XSS]

This vulnerability could be used to steal cookie based authentication
credentials within the scope of the current domain, or render hostile code
in a victim's browser.

Solution:
The vendor was contacted, responded very promptly and said he will be
addressing the
issue soon and has released an updated version of the software.

http://www.psychostats.com/forums/viewtopic.php?t=11022

You can find directions on how to install the patch at the link listed
above. Users
should upgrade as soon as they can.

Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=re ... e_id=00057-12222004

Credits:
James Bercegay of the GulfTech Security Research Team
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.296 / Virus Database: 265.6.4 - Release Date: 12/22/2004
发表于 2005-7-3 21:15:06 | 显示全部楼层 来自 中国–广东–深圳
不是吧。这么差劲啊。
回复

使用道具 举报

 楼主| 发表于 2005-7-4 21:53:47 | 显示全部楼层 来自 中国–吉林–长春
安全隐患总是有的,小心就是了
回复

使用道具 举报

发表于 2005-7-5 02:32:36 | 显示全部楼层 来自 中国–陕西–西安
看不懂。。高手解释一下。大家一起防范啊。别苦了我们了
回复

使用道具 举报

 楼主| 发表于 2005-7-5 11:23:02 | 显示全部楼层 来自 中国–吉林–长春
psychostats 官方已经有了解决的方法,你可以通过升级软件来解决这个问题。具体内容可以访问这里:http://www.psychostats.com/forums/viewtopic.php?t=11022
回复

使用道具 举报

游客
回复
您需要登录后才可以回帖 登录 | 注个册吧

快速回复 返回顶部 返回列表