| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <F4F61047-37A9-4F5A-8039-28914C34798B@ariko-security.com>
Date: Tue, 21 Feb 2012 17:19:36 +0100
From: MG <vuln@...ko-security.com>
To: submissions@...ketstormsecurity.org
Cc: bugtraq <bugtraq@...urityfocus.com>,
full-disclosure <full-disclosure@...ts.grok.org.uk>,
submit@...ecurity.com, vuln <vuln@...unia.com>, moderators@...db.org
Subject: Addition to CVE-2012-0872 oxwall
Our addition to yesterday YGn advisory:
# CVE-2012-0872
============ { Ariko-Security - Advisory #2/2/2012 } =============
OxWall Cross-site scripting (XSS)
Vendor's description of software and download:
# Oxwall Foundation http://www.oxwall.org/
Dork:
# N/a
Application Info:
#OxWall 1.1.1
Vulnerability Info:
# Type: XSS
Time Table:
# 13/02/2012 - Vendor notified
XSS:
#Input passed to the "plugin" parameter in index.php is not properly sanitised before being returned to the user.
Solution:
# Input validation of vulnerable parameters should be corrected.
POC:
http://site/ow_updates/?plugin=%27%22%28%29%26%251%3CScRiPt%20%3Eprompt%28982087%29%3C%2fScRiPt%3E
advisory:
http://advisories.ariko-security.com/2012/audyt_bezpieczenstwa_2m2.html
Credit:
# Discoverd By: Ariko-Security 2012
Ariko-Security
Rynek Glowny 12
32-600 Oswiecim
tel:. +48 33 4741511 mobile: +48 784086818
(Mo-Fr 10.00-20.00 CET)
Ariko-Security Sp. z o.o. z siedzibą w Oświęcimiu , zarejestrowana przez Sąd Rejonowy dla m. Krakowa-Śródmieścia, XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS: 00000358273, NIP: 549-239-90-67, REGON 121262172
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists