Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

XSS in Authoria HR Suite

From: Max <rusmir () tula net>
Date: Wed, 9 Oct 2002 14:31:08 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Title:
======

Cross-site scripting vulnerability (XSS) in Authoria HR suite

Vulnerable Application:
=======================

Authoria HR Suite (http://www.authoria.com) is HR information management
application used by many large enterprises.

Details:
========

Due to the unefficient URL filtering, which assumes that if you enclose
something in quites, it will be a string value, it is possible to inject
a javascript in the URL.

The fact that all unknown parameters are passed to string variables inside
<script> tag makes it even easier to exploit.

Demonstration:
==============

https://your.site.com/path.to/cgi-bin/athcgi.exe?command=showpage&script='],[0,0]];alert('Hello%20there!');a=[['

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE9pKAg8mCpXsrcXpwRAn09AJ98PCYsK+XkzdZG/BmYz6dK26QhrgCdGg5B
GkqaU/8qIj8/unR8YxEI8Ns=
=TNOO
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: