Full Disclosure mailing list archives
XSS in 12Planet Chat Server 2.9
From: "Donato Ferrante" <fdonato () autistici org>
Date: Mon, 5 Jul 2004 07:56:21 -0000
Donato Ferrante Application: 12Planet Chat Server http://www.12planet.com Version: 2.9 Bug: cross site scripting Date: 05-Jul-2004 Author: Donato Ferrante e-mail: fdonato () autistici org web: www.autistici.org/fdonato xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 1. Description 2. The bug 3. The code 4. The fix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ---------------- 1. Description: ---------------- Vendor's Description: "The #1 Professional Chat Server Software, bringing instant communication into web sites, intranet and extranet portals: setup your community chat rooms, organize celebrity chat events, collaborative work sessions or online meetings." xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------ 2. The bug: ------------ The input strings, into some field, are not filtered by the server so they will appear in the returned page. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------- 3. The code: ------------- To test the vulnerability: http://[host]:8080/servlet/one2planet.infolet.InfoServlet? page=<script>alert("hy")</script> ( all on the same line ) xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------ 4. The fix: ------------ No fix. The vendor has not answered to my signalations. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- XSS in 12Planet Chat Server 2.9 Donato Ferrante (Jul 05)