lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 3 Mar 2005 09:52:11 -0000
From: Rift <Sean@...e-web.com>
To: bugtraq@...urityfocus.com
Subject: [XSS] paBox 1.6




Just wanted to let it be known seeing as i havent seen any info on this yet, ive discovered a cross scripting problem in PABox 1.6 

http://phpnuke.org/modules.php?name=News&file=article&sid=5065

they give a demo page of pabox there.  if you take the default form used for the shoutbox, there are always two parameters marked as hidden:

<input type="hidden" name="date"...
and
<input type="hidden" name="time"...


you can easily extract the form from anysite's pabox and change the date value to "text" and inject scripting code into it.. for example

<h1><marquee>&lt;script&gt;document.write(document.cookie);&lt;/script&gt;</marquee></h1><noscript>

obviously your code can be modified to do anything of your liking.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ