lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 26 Jan 2010 15:12:10 -0700
Subject: [InterN0T] ShareTronix 1.0.4 - HTML Injection Vulnerability

ShareTronix - HTML Injection Vulnerability

Version Affected: 1.0.4 (newest)


Sharetronix Opensource is a multimedia microblogging platform. 

It helps people in a community, company, or group to exchange short messages over the Web.

Credits: MaXe from InterN0T (patched the vulnerability) & Reelix (found the vulnerability)

External Links:

-:: The Advisory ::-

The header.php file for showing a single microblog entry does not sanitize the page_title correct.

page_title is set by the user when posting an entry to the microblog platform.



00013: <title><?= $D->page_title ?></title>



00014: <title><?= $D->page_title ?></title>

-:: Solution ::-


00013: <title><?= htmlentities($D->page_title); ?></title>



00014: <title><?= htmlentities($D->page_title); ?></title>

Disclosure Information: 

- Vulnerability found 26th January

- Patch was made available 26th January

- Vendor and Buqtraq (SecurityFocus) contacted the 26th January

- Will be disclosed on InterN0T 27th January

All of the best,


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ