Full Disclosure mailing list archives
Free Web Stat Multiple XSS Vulnerabilities
From: ascii <ascii () katamail com>
Date: Mon, 28 Nov 2005 17:45:41 +0100
FreeWebStat Multiple XSS Vulnerabilities Name Multiple XSS Vulnerabilities in FreeWebStat Systems Affected FreeWebStat (verified on 1.0 rev37) Severity Medium Risk Vendor www.freewebstat.com Advisory http://www.ush.it/2005/11/25/free-web-stat/ Author Francesco "aScii" Ongaro (ascii at katamail . com) Date 20051125 FreeWebStat 1.0 rev37 (the last version at the write time) is vulnerable to multiple XSS. The impact is a little bigger since datas will be stored in a flat file and the result of a single query will persist for some time on the backend. A well-timed loop of requests will assure the XSS to be permanent. This can be used to inject arbitrary JS code into the page and make the JS pseudo-permanent, so other users will execute the JS without the need of any special url. Advisory released on 20051125: Free Web Stat Multiple XSS Vulnerabilities http://www.ush.it/2005/11/25/free-web-stat/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Free Web Stat Multiple XSS Vulnerabilities ascii (Nov 28)