lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20120103184024.GH5573@foo.fgeek.fi>
Date: Tue, 3 Jan 2012 20:40:24 +0200
From: Henri Salo <henri@...v.fi>
To: tom <tom@...net.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: PHP Booking Calendar 10e XSS

On Sun, Dec 18, 2011 at 03:15:36PM -0500, tom wrote:
> # Exploit Title: PHP Booking Calendar 10e XSS
> # Date: 12/16/11
> # Author: G13
> # Software Link: http://sourceforge.net/projects/bookingcalendar/
> # Version: 10e
> # Category: webapps (php)
> #
> 
> ##### Vulnerability #####
> 
> The page_info_message varibale in the details_view.php does not
> sanitize input.  This is a relective XSS attack.
> 
> ##### Exploit #####
> 
> http://127.0.0.1/cal/details_view.php?event_id=1&date=2011-12-01&view=month&loc=loc1&page_info_message=[XSS]

CVE-2011-5045 can be used for this issue.

- Henri Salo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ