Full Disclosure mailing list archives
Centrinity FirstClass HTTP Server Cross Site Scripting
From: "Richard Maudsley" <r.i.c.h () btopenworld com>
Date: Mon, 22 Mar 2004 19:30:03 +0000
Product: FirstClass HTTP Server Developer: Centrinity URL: http://www.centrinity.com Description: Injected code is rendered in the context of the vulnerable page. Exploit: http://[TARGET]/.Templates/Commands/Upload.shtml?TargetName=<script>alert('XSS')</script> It may be possible to steal cookies from users who are logged into the system. It is likely that other pages are also vulnerable. As usual, OpenText will not follow up this report, and it can be filed away with numerous other unpatched FirstClass bugs, hacks and exploits: http://search.securityfocus.com/swsearch?query=firstclass&metaname=swishtitle Enjoy, Richard Maudsley www.mindblock.org hey, jaw :) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Centrinity FirstClass HTTP Server Cross Site Scripting Richard Maudsley (Mar 23)
- <Possible follow-ups>
- Fw: Re: Centrinity FirstClass HTTP Server Cross Site Scripting Richard Maudsley (Mar 23)