Bugtraq mailing list archives
XSS in Authoria HR Suite
From: Max <rusmir () tula net>
Date: Wed, 9 Oct 2002 14:31:08 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Title: ====== Cross-site scripting vulnerability (XSS) in Authoria HR suite Vulnerable Application: ======================= Authoria HR Suite (http://www.authoria.com) is HR information management application used by many large enterprises. Details: ======== Due to the unefficient URL filtering, which assumes that if you enclose something in quites, it will be a string value, it is possible to inject a javascript in the URL. The fact that all unknown parameters are passed to string variables inside <script> tag makes it even easier to exploit. Demonstration: ============== https://your.site.com/path.to/cgi-bin/athcgi.exe?command=showpage&script='],[0,0]];alert('Hello%20there!');a=[[' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE9pKAg8mCpXsrcXpwRAn09AJ98PCYsK+XkzdZG/BmYz6dK26QhrgCdGg5B GkqaU/8qIj8/unR8YxEI8Ns= =TNOO -----END PGP SIGNATURE-----
Current thread:
- XSS in Authoria HR Suite Max (Oct 09)