xss in WikiBlog 1.7.3rc2
Kod:# exploit title: xss in WikiBlog 1.7.3rc2 # date: 3.o3.2o11 # author: lemlajt # software : http://www.wikyblog.com/ # version: # tested on: linux # cve : # Description: Some vulnerabilities have been discovered in WikiBlog, which can be exploited by malicious people to conduct cross-site scripting and script/html insertion attacks. 1) Input passed via the "guest" to "/WikyBlog-1.7.3rc2/index.php/Special/Main/Permissions" is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious article is being viewed. 2) Input passed via the "f" parameters to include/tool/Files.php is not properly sanitised, before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site. 14: $file =& $_GET['f']; HTML Injection is also possible in index.php. The vulnerabilities are confirmed in version 1.7.3rc2. Other versions may also be affected. Solution Edit the source code to ensure that input is properly sanitised. # regards, # lemlajt # *
Odpowiedź z Cytatem
Copyright © 2006-2024 - HACK.pl. Wszelkie prawa zastrzeżone.