Back to list
Cross Site Scripting Vulnerability in Zoho Virtual Office
Jul 17 2006 12:29PM
ss_team (ssteam pl gmail com)
We have discovered a vunerability in Zoho Virtual Office.
Malformed HTML message could lead to XSS Attack. It can cause a cookie
theft leading to session hijacking.
browser's frame into evil script on attacker's server.
evil.php file contains code which saves cookie variables on evil server.
attacker can prepare cookie and hijack the user's session.
Affected version: 3.2 Build 3210 (latest), previous versions might
also be vulnerable.
Vendor was contacted 72 hours ago.
marc & shb
[ reply ]
Copyright 2010, SecurityFocus