lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 23 Apr 2012 19:07:53 GMT
From: Lostmon@...il.com
To: bugtraq@...urityfocus.com
Subject: Re: phpMyBible 0.5.1 Mutiple XSS

Hi,
This is a discontinued product from 2007
also we can do a simple patch to all variables here:

####### Vulnerable code ############
$book = $_REQUEST['book'];
$chapter = $_REQUEST['chapter'];
$version = $_REQUEST['version'];
$curl = $_SERVER['REQUEST_URI'];
$searchword = $_REQUEST['searchword'];
#################################

######### Patch here ############
$book = intval($_REQUEST['book']);
$chapter = intval($_REQUEST['chapter']);
$version = htmlspecialchars($_REQUEST['version']);
$curl = $_SERVER['REQUEST_URI'];
$searchword = htmlspecialchars($_REQUEST['searchword']);
##################################

Thnx For your time !!
-- 
atentamente:
Lostmon (lostmon@...il.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon
--
La curiosidad es lo que hace mover la mente....

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ