BugTraq
PHP Booking Calendar 10e XSS Dec 18 2011 08:15PM
tom (tom g13net com) (1 replies)
Re: PHP Booking Calendar 10e XSS Jan 03 2012 06:40PM
Henri Salo (henri nerv fi)
On Sun, Dec 18, 2011 at 03:15:36PM -0500, tom wrote:
> # Exploit Title: PHP Booking Calendar 10e XSS
> # Date: 12/16/11
> # Author: G13
> # Software Link: http://sourceforge.net/projects/bookingcalendar/
> # Version: 10e
> # Category: webapps (php)
> #
>
> ##### Vulnerability #####
>
> The page_info_message varibale in the details_view.php does not
> sanitize input. This is a relective XSS attack.
>
> ##### Exploit #####
>
> http://127.0.0.1/cal/details_view.php?event_id=1&date=2011-12-01&view=mo
nth&loc=loc1&page_info_message=[XSS]

CVE-2011-5045 can be used for this issue.

- Henri Salo

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus