lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20041113193409.30919.qmail@www.securityfocus.com> Date: 13 Nov 2004 19:34:09 -0000 From: Alex Lanstein <alex.lanstein@...il.com> To: bugtraq@...urityfocus.com Subject: Multiple XSS holes in TheFaceBook Authors: Alex Lanstein, Ivo Parashkevov Date: November 12, 2004 Affected Software: TheFaceBook - All Versions Software URL: http://www.thefacebook.com TheFaceBook, a popular college networking (social, not technological) tool is vulnerable to many XSS holes in it's search and editing methods. In 'Advanced Search', the following fields are vulnerable vi search.php: Phone Number,Birthday, Address, Enjoy. POC search.php?do_search=1&advanced=1&name=&email=&status=&sex=&year=&house=&room=&mailbox=&phone=<code here> &Birthday=<code here> &Address=<code here> &Enjoy=<code here> 'Group Search' is vulnerable, also through the search.php module POC search.php?all_fields=0&do_search=1&advanced=1&group=<code here> 'HighSchool Search' is vulnerable through the global.php module POC global.php?do_search=1&high_school=1&state=1&city=2&hsid=1&changed=1&advanced=1&high_school=1&name=<codehere>&hsyear= The whole profile is also vulnerable. The automailer may be vulnerable to a sql injection as well ;-) Greets to CC, Hahvid, neworder.box.sk, and fromadia.com
Powered by blists - more mailing lists