lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: 27 Aug 2007 21:22:51 -0000 From: morin.josh@...il.com To: bugtraq@...urityfocus.com Subject: PhpGedView login page multiple XSS Vendor Site: http://www.phpgedview.net Version: 4.1 Common Path: yoursite.com/genealogy/login.php Overview: Genealogy program which allows you to view and edit your genealogy on your website. It fails to sufficiently sanitize user-supplied input data in "User Name" text box leaving password blank and pressing the "Login" button, also web address XSS. Example: 1.<html><font color="Red"><b>XSS</b></font></html> 2.yoursite.com/genealogy/login.php?login.php?action=login&username="><iframe> 3.yousite.com/genealogy/login.php?url=/index.php?JOSH="><iframe> Discovered by: Joshua Morin