lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 1 Nov 2005 02:54:42 -0800 (PST)
From: alireza hassani <trueend5@...oo.com>
To: bugtraq@...urityfocus.com
Subject: VUBB XSS & path disclosure Vulnerabilities



[KAPDA::#10] - VUBB XSS & path disclosure
vulnerabilities
KAPDA New advisory

Vendor: http://www.vubb.com
Version: vubb alpha rc1
Bug: XSS & path disclosure
Exploitation: Remote with browser
Discussion:
--------------------
VuBB is a Free PHP/MySQL forum/bulletin board system. 

Vulnerability:
--------------------
XSS:
A remote user can create a specially crafted URL that,
when loaded by a target user, will cause arbitrary
scripting code to be executed by the target user's
browser. The code will originate from the site running
the VUBB software and will run in the security context
of that site.
PATH Disclosure:
 A remote user can supply a specially crafted URL to
cause the system to display an error message that
discloses the installation path and other data.

Demonstration URL :
--------------------
http://www.example.com/forum/index.php?act=newreply&t='>%3CIFRAME%20SRC=javascript:alert(%2527XSS%2527)%3E%3C/IFRAME%3E&f=6
http://www.example.com/forum/index.php?act=viewforum&f='

Solution:
--------------------
There is no vendor-supplied patch for this issue at
this time.

More Detail:
--------------------
original advisory:
http://irannetjob.com/content/view/152/28/

Credit :
--------------------
Discovered & released by trueend5 (trueend5 kapda ir)
Security Science Researchers Institute Of Iran
[KAPDA.ir] 



		
__________________________________ 
Yahoo! FareChase: Search multiple travel sites in one click.
http://farechase.yahoo.com


Powered by blists - more mailing lists