lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20031114082118.10598.qmail@sf-www3-symnsj.securityfocus.com>
Date: 14 Nov 2003 08:21:18 -0000
From: <bruce@...wizguide.info>
To: bugtraq@...urityfocus.com
Subject: Re: Web Wiz Forums ver. 7.01


In-Reply-To: <6520144396.20031113223723@....net.ru>

HEX has submitted incorrect information on Web Wiz Forums (again!!!).

The values of the variables mentioned by HEX are filtered further on in the code. 

The file register_new_user.asp is not a file that exsits in Web Wiz Forums version 7.01 or above.

The only variable that was not filtered correctly was the Location field which is populated by a drop down box.

Form March 2003 the location variable was changed to filter the location field.

This does not effect versions of Web Wiz Forums from 7.5 and above.


>
>Informations :
>°°°°°°°°°°°°
>Language : ASP
>Bugged Version : Web Wiz Forums ver. 7.01 (and less ?)
>Website : http://www.webwizforums.com
>Problems : Permanent XSS
>
>
>Objects :
>°°°°°°°
>- register_new_user.asp
>- register.asp
>
>The values variable are not filtered:
>
>strLocation = Request.Form("location")
>strMessage = Request.Form("signature")
>strPassword = Request.Form("password")

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ