Full Disclosure mailing list archives
Re: E-Data
From: pretty vacant <optimist () eurocompton net>
Date: Tue, 29 Mar 2005 13:47:33 -0500 (EST)
Thank you Donnie, This advisory was/is a perfect example of just how much of a true security professional you are. You are an irreplaceable asset to this list and the security community as a whole. The world is a safer place with you in it. God bless you.
-----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Morning
Wood
Sent: Tuesday, March 29, 2005 1:03 PM To: full-disclosure () lists grok org uk Subject: [Full-disclosure] E-Data ------------------------------------------------------------ - EXPL-A-2005-003 exploitlabs.com Advisory 032 - ------------------------------------------------------------ - E-Data - OVERVIEW ======== E-Data 2.0 is a powerful e-mail directory and management application
that
will enhance your web site by letting visitors add, change and delete
their
personal information to a directory AFFECTED PRODUCTS ================= E-Data 2.0 http://www.adventia.com/ DETAILS ======= E-Data has user supplied input fields in search and in the "add to
database"
functions. By inputting a query keyword followed by XSS style script,
future
users may search and find the keyword that contains the malicious xss. The XSS is of a persistant nature as it is stored in the applications database. SOLUTION ======== none 1st contact: March 16, 2005 ( no reply ) PROOF OF CONCEPT ================ The vendor has a demo site, PoC is in the database, just goto the "demo
url"
and enter "qwerty" in search box demo url: http://www.adventia.com/cgi-bin/dir.pl CREDITS ======= This vulnerability was discovered and researched by Donnie Werner of exploitlabs web: http://exploitlabs.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- E-Data Morning Wood (Mar 29)
- <Possible follow-ups>
- Re: E-Data pretty vacant (Mar 29)