lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.BSO.4.44.0503291339580.18055-100000@eurocompton.net>
Date: Tue Mar 29 19:46:58 2005
From: optimist at eurocompton.net (pretty vacant)
Subject: E-Data


Thank you Donnie,

This advisory was/is a perfect example of just how much of a true security
professional you are.

You are an irreplaceable asset to this list and the security community as
a whole. The world is a safer place with you in it.

God bless you.


> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk
> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Morning
Wood
> Sent: Tuesday, March 29, 2005 1:03 PM
> To: full-disclosure@...ts.grok.org.uk
> Subject: [Full-disclosure] E-Data
>
> ------------------------------------------------------------
>        - EXPL-A-2005-003 exploitlabs.com Advisory 032 -
> ------------------------------------------------------------
>                                  - E-Data -
>
> OVERVIEW
> ========
> E-Data 2.0 is a powerful e-mail directory and management application
that
> will enhance your web site by letting visitors add, change and delete
their
> personal information to a directory
>
> AFFECTED PRODUCTS
> =================
> E-Data 2.0
> http://www.adventia.com/
>
> DETAILS
> =======
> E-Data has user supplied input fields in search and in the "add to
database"
> functions. By inputting a query keyword followed by XSS style script,
future
> users may search and find the keyword that contains the malicious xss.
> The XSS is of a persistant nature as it is stored in the applications
> database.
>
> SOLUTION
> ========
> none
> 1st contact: March 16, 2005 ( no reply )
>
> PROOF OF CONCEPT
> ================
> The vendor has a demo site, PoC is in the database, just goto the "demo
url"
> and enter "qwerty" in search box demo url:
> http://www.adventia.com/cgi-bin/dir.pl
>
> CREDITS
> =======
> This vulnerability was discovered and researched by Donnie Werner of
> exploitlabs
>
> web: http://exploitlabs.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ