| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <438B3435.7020403@katamail.com> Date: Mon, 28 Nov 2005 17:45:41 +0100 From: ascii <ascii@...amail.com> To: full-disclosure@...ts.grok.org.uk, ml@...urezza.org, bugtraq@...urityfocus.com, news@...uriteam.com, bugs@...uritytracker.com, vuln@...unia.com Subject: Free Web Stat Multiple XSS Vulnerabilities FreeWebStat Multiple XSS Vulnerabilities Name Multiple XSS Vulnerabilities in FreeWebStat Systems Affected FreeWebStat (verified on 1.0 rev37) Severity Medium Risk Vendor www.freewebstat.com Advisory http://www.ush.it/2005/11/25/free-web-stat/ Author Francesco "aScii" Ongaro (ascii at katamail . com) Date 20051125 FreeWebStat 1.0 rev37 (the last version at the write time) is vulnerable to multiple XSS. The impact is a little bigger since datas will be stored in a flat file and the result of a single query will persist for some time on the backend. A well-timed loop of requests will assure the XSS to be permanent. This can be used to inject arbitrary JS code into the page and make the JS pseudo-permanent, so other users will execute the JS without the need of any special url. Advisory released on 20051125: Free Web Stat Multiple XSS Vulnerabilities http://www.ush.it/2005/11/25/free-web-stat/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists