lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 22 May 2003 21:41:04 +0200
From: Marc Ruef <marc.ruef@...putec.ch>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com,
   news@...uriteam.com, submissions@...ketstormsecurity.org
Subject: XMB 1.8 Partagium cross site scripting vulnerability


Hi!

Lotek, a friend of mine, informed me about a cross site scripting bug[1]
in my XMBforum 1.8.x[2]:

http://www.computec.ch/forum/member.php?action=viewpro&member=%3Cdiv%3E%3Cfont%20color=%22red%22%3EMarc%3C/font%3E%3Cscript%3Ealert(%22Ruef%22);%3C/script%3E%3C/div%3E

I sent this information at Apr 25 2003 to sales@...nture-media.co.uk (I
have not found any other contact email on the web page) and suggested a
patch or update. After a week, nothing came back so I decided to send my
advisory to the Super Administrator of their own board. No reply too.

This bug still exists in XMB 1.8 Final Edition SP1, released after the
bugtraq posting "XMB 1.8 Partagium SQL Injection Bug" on Apr 22 2003
5:08PM[2]. It may be possible that other versions of the board (1.11,
1.6, and 1.8 beta) are also vulnerable.

An new updated version of the forum may be available at
http://www.xmbforum.com/download/#partagium - An upgrade, if available,
is recommended.

Bye, Marc

[1] http://www.cgisecurity.com/articles/xss-faq.shtml
[2] http://www.xmbforum.com
[3] http://www.securityfocus.com/archive/1/319411

-- 
Computer, Technik und Security                  http://www.computec.ch/

"Alle Technik ist ein faustischer Pakt mit dem Teufel."
           Neil Postman, US-amerikanischer Soziologe und Medienkritiker


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ