Full Disclosure mailing list archives
Cross Site Scripting fusion news
From: "k1LL3r B0y" <k1ll3rb0y () hotmail com>
Date: Fri, 23 Apr 2004 04:54:51 +0200
===================================================================== ========================== DarkBicho ================================ PROGRAM: fusion news HOMEPAGE: http://www.fusionphp.net/ version: 3.6.1 Bug: Cross Site Scripting Date: 22/04/2003 Author: DarkBicho web: http://www.darkbicho.tk Email: darkbicho () peru com ===================================================================== =============== 1) Introduction =============== fusion news is sofware free in php, This product is vulnerable to the Cross-Site Scripting vulnerability that would allow attackers to inject HTML and script codes into the pages and execute it on the client's browser as if it were provided by the site. =============== 2) Exploit =============== The XSS hole is in fullnews.phphttp://site vulnerable/fullnews.php?id=<script>alert(document.cookie);</script>
=============== 2) SOLUTION =============== the vendor was notified visits web site for patch ===================================================================== DARKBICHO www.darkbicho.tk Made In Peru advisore url: http://bichosoft.webcindario.com/advisory-02.txt _________________________________________________________________ MSN Amor: busca tu ½ naranja http://latam.msn.com/amor/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Cross Site Scripting fusion news k1LL3r B0y (Apr 22)