Bugtraq mailing list archives
Cross-Site Scripting vulnerability in eCaptcha
From: "MustLive" <mustlive () websecurity com ua>
Date: Mon, 28 Sep 2009 23:45:14 +0300
Hello Bugtraq!I want to warn you about Cross-Site Scripting vulnerability in eCaptcha (plugin for E107). I found this hole in July 2008 and disclosed it at 25.09.2008.
XSS:POST query at page http://site/path/ecaptcha/?key=b7c9bf99e763252105f047a5ca5681d0
<script>alert(document.cookie)</script> in field: Type Here.Working key (ecaptcha_key) is required, which can be retrieved by script. Every key works only for one time.
Exploit: http://websecurity.com.ua/uploads/2008/eCaptcha%20XSS.htmlI mentioned about this vulnerability at my site (http://websecurity.com.ua/2253/).
Best wishes & regards, MustLive Administrator of Websecurity web sitehttp://websecurity.com.ua
Current thread:
- Cross-Site Scripting vulnerability in eCaptcha MustLive (Sep 28)