Full Disclosure mailing list archives
Addition to CVE-2012-0872 oxwall
From: MG <vuln () ariko-security com>
Date: Tue, 21 Feb 2012 17:19:36 +0100
Our addition to yesterday YGn advisory: # CVE-2012-0872 ============ { Ariko-Security - Advisory #2/2/2012 } ============= OxWall Cross-site scripting (XSS) Vendor's description of software and download: # Oxwall Foundation http://www.oxwall.org/ Dork: # N/a Application Info: #OxWall 1.1.1 Vulnerability Info: # Type: XSS Time Table: # 13/02/2012 - Vendor notified XSS: #Input passed to the "plugin" parameter in index.php is not properly sanitised before being returned to the user. Solution: # Input validation of vulnerable parameters should be corrected. POC: http://site/ow_updates/?plugin=%27%22%28%29%26%251%3CScRiPt%20%3Eprompt%28982087%29%3C%2fScRiPt%3E advisory: http://advisories.ariko-security.com/2012/audyt_bezpieczenstwa_2m2.html Credit: # Discoverd By: Ariko-Security 2012 Ariko-Security Rynek Glowny 12 32-600 Oswiecim tel:. +48 33 4741511 mobile: +48 784086818 (Mo-Fr 10.00-20.00 CET) Ariko-Security Sp. z o.o. z siedzibą w Oświęcimiu , zarejestrowana przez Sąd Rejonowy dla m. Krakowa-Śródmieścia, XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS: 00000358273, NIP: 549-239-90-67, REGON 121262172
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Addition to CVE-2012-0872 oxwall MG (Feb 21)