lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <ae7d6d93ab07bd3eb317ea2e1dab8922@g13net.com>
Date: Sun, 18 Dec 2011 14:08:19 -0500
From: tom <tom@...net.com>
To: <submit@...sec.com>, <bugtraq@...urityfocus.com>
Subject: SASHA v0.2.0 Mutiple XSS

# Exploit Title: SASHA v0.2.0 Mutiple XSS
# Date: 12/16/11
# Author: G13
# Software Link: http://sourceforge.net/projects/sasha/files/
# Version: 0.2.0
# Category: webapps (php)
#


##### Vulnerability #####

When adding a new course to the schedule, the application relies on 
Client Side controls for input.  This can easily be bypassed by using an 
intercepting proxy or CSRF attack.


##### Affected Variables #####

section_title=[XSS]
instructors=[XSS]

##### POST Data #####

institution=uvm&semester%5Bseason%5D=09&semester%5Byear%5D=2011&schedule_type=0&
subject=math&course=0028&section=test&start_time%5Bhour%5D=8&
start_time%5Bminute%5D=0&start_time%5Bmeridiem%5D=AM&end_time%5Bhour%5D=9&
end_time%5Bminute%5D=0&end_time%5Bmeridiem%5D=AM&parent_schedule_id=&
instructors%5B0%5D=&instructors%5B1%5D=&instructors%5B2%5D=&instructors%5B3%5D=&
instructors%5B4%5D=&instructors%5B5%5D=&section_title=&step=1&next=Next

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ