Full Disclosure mailing list archives
Cross site scripting in Onecenter Forum 4.0
From: "David F. Madrid" <conde0 () telefonica net>
Date: Fri, 25 Apr 2003 07:24:24 -0300 (ART)
Issue : cross site scripting in Onecenter forum Affected Product : Onecenter forum 4.0 Description : Onecenter offers a free discussion forum hosted in the company's servers ( forum.onecenter.com ) . Any user in the forum is identified by a cookie that contains nick , name , mail address and password . This information can be easily obtained as you can add in your posts the img html tag with a custom script as follows <img src=javascript:alert(document.cookie);> To impersonate any user in the forum ( onecenter administrators would be a good choice , as you can report posts to them ) you just have to build a cookie like the one obtained and visit the forum . -- Regards , David F. Madrid Madrid , Spain _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Cross site scripting in Onecenter Forum 4.0 David F. Madrid (Apr 25)