lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20050612211624.32412.qmail@securityfocus.com> Date: 12 Jun 2005 21:16:24 -0000 From: thegreatone2176@...oo.com To: bugtraq@...urityfocus.com Subject: singapore v0.9.11 cross site scripting and path disclosure Because of singapores heavy use of classes it has multiple path disclosure occurences. The following pages all produced class related errors when navigating directly to them in your browser. gallery/includes/admin.class.php templates/admin_default/ all the .tpl.php files templates/default/ all the the .tpl.php files Also the gallery $_GET parameter on www.site.com/index.php is not properly checked leading to cross site scripting. We used http://www.site.com/index.php?gallery=%3Cimg%20onmouseover=%22alert('hi')%22%20style=%22position:%20absolute;%20top:0px;%20left:%200px;%20width:%201000%;%20height:%201000%;%22%3E and other similar scripts to produce the xss.