lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050612211624.32412.qmail@securityfocus.com>
Date: 12 Jun 2005 21:16:24 -0000
From: thegreatone2176@...oo.com
To: bugtraq@...urityfocus.com
Subject: singapore v0.9.11 cross site scripting and path disclosure


Because of singapores heavy use of classes it has multiple path disclosure occurences. The following pages all produced class related errors when navigating directly to them in your browser.

gallery/includes/admin.class.php
templates/admin_default/ all the .tpl.php files
templates/default/ all the the .tpl.php files

Also the gallery $_GET parameter on www.site.com/index.php is not properly checked leading to cross site scripting.  We used http://www.site.com/index.php?gallery=%3Cimg%20onmouseover=%22alert('hi')%22%20style=%22position:%20absolute;%20top:0px;%20left:%200px;%20width:%201000%;%20height:%201000%;%22%3E
and other similar scripts to produce the xss.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ