Full Disclosure mailing list archives
SimpBook "message" Remote Cross-Site Scripting Vulnerability
From: zeus olimpusklan <zeus.olimpusklan () gmail com>
Date: Fri, 6 Jan 2006 09:52:10 -0600
########################################################################### # Advisory #5 Title: SimpBook "message" Remote Cross-Site Scripting Vulnerability # # # Author: 0o_zeus_o0 # Contact: zeus () diosdelared com # Website: Elitemexico.org # Date: 05/01/2006 # Risk: High # Vendor Url: http://codegrrl.com/scripts/simpbook/ # Affected Software: SimpBook # Non Affected: # # We Are: olimpus klan team # #TECHNICAL INFO #================================================================ # #An input validation vulnerability in SimpBook has been reported, which can be exploited # #by remote users to conduct cross-site scripting attacks. # #User-supplied input passed to the "message" field isn't sanitised before being stored in # #the guestbook. This can be exploited to execute arbitrary script code in the security context # #of an affected website, as a result the code will be able to access any of the target user's # #cookies, access data recently submitted by the target user via web form to the site, or take # #actions on the site acting as the target user. # #Successful exploitation requires that "html_enable" is set to "on" in " config.php". # #This is set to"on" in the default installation. # #Solution: # #Set "html_enable" to "off" in "config.php" or edit the source code to ensure that input is properly sanitised. # # #VULNERABLE VERSIONS #================================================================ #SimpBook version 1.0. Other versions may also be affected. # # #================================================================ #Contact information #0o_zeus_o0 #zeus () diosdelared com #www.olimpusklan.org #================================================================ #greetz: lady fire, fraude, xoxo, El_Mesias ##############################################################################
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- SimpBook "message" Remote Cross-Site Scripting Vulnerability zeus olimpusklan (Jan 06)
- Re: SimpBook "message" Remote Cross-Site Scripting Vulnerability Mbyte Security (Jan 06)