Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Cross Site Scripting fusion news

From: "k1LL3r B0y" <k1ll3rb0y () hotmail com>
Date: Fri, 23 Apr 2004 04:54:51 +0200


=====================================================================
========================== DarkBicho ================================

        PROGRAM: fusion news
        HOMEPAGE: http://www.fusionphp.net/
        version: 3.6.1
        Bug: Cross Site Scripting
        Date:  22/04/2003
        Author: DarkBicho
                web: http://www.darkbicho.tk
                Email: darkbicho () peru com

=====================================================================

===============
1) Introduction
===============

fusion news is sofware free in php, This product is vulnerable to the
Cross-Site Scripting vulnerability that would allow attackers to inject
HTML and script codes into the pages and execute it on the client's
browser as if it were provided by the site.


===============
2) Exploit
===============

The XSS hole is in fullnews.php
http://site vulnerable/fullnews.php?id=<script>alert(document.cookie);</script> 



===============
2) SOLUTION
===============

the vendor was notified visits web site for patch




=====================================================================
DARKBICHO
www.darkbicho.tk
Made In Peru

advisore url: http://bichosoft.webcindario.com/advisory-02.txt

_________________________________________________________________
MSN Amor: busca tu ½ naranja http://latam.msn.com/amor/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: