Re: More Cross site Scripting in PHPNuke
From: chkumite chkumite (chkumite@hotmail.com)Date: 04/24/02
- Previous message: Rich Lafferty: "Re: Trendmicro - Interscan - List of BCC: is revealed when stripping attachments and notifying destination addresses"
- Maybe in reply to: Replugge [ROD]: "More Cross site Scripting in PHPNuke"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "chkumite chkumite" <chkumite@hotmail.com> To: replugge@alcoholico.org, bugtraq@securityfocus.com, info@securiteam.com, submissions@packetstormsecurity.org Date: Wed, 24 Apr 2002 13:07:24 +0000
>Subject: More Cross site Scripting in PHPNuke
>Date: 23 Apr 2002 09:50:48 +0200
>
>Cross site scripting is a serious problem, (even if some people
>doesn't believe it), On this second round i'll show 8 new XSS
>vulnerabilities in PHP Nuke (most of them are also path disclosure
>vulns)
u can do other thing but it isn't exploitable :(
a local hack:
In the search input, you write: "><h1><marquee>Hacked by
Shaolinn</marquee></h1><"
The php file request the input, and finally write the html page something
like this:
<input type="text" name="search" value="$search_input_requested">
then when i write ">anyhtmlthing<" i am injecting html.
really this have not any utility :) but, you can learn how injection works.
-- Shaolinn --
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
- Previous message: Rich Lafferty: "Re: Trendmicro - Interscan - List of BCC: is revealed when stripping attachments and notifying destination addresses"
- Maybe in reply to: Replugge [ROD]: "More Cross site Scripting in PHPNuke"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
