Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: E-Data

From: pretty vacant <optimist () eurocompton net>
Date: Tue, 29 Mar 2005 13:47:33 -0500 (EST)

Thank you Donnie,

This advisory was/is a perfect example of just how much of a true security
professional you are.

You are an irreplaceable asset to this list and the security community as
a whole. The world is a safer place with you in it.

God bless you.



-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Morning

Wood

Sent: Tuesday, March 29, 2005 1:03 PM
To: full-disclosure () lists grok org uk
Subject: [Full-disclosure] E-Data

------------------------------------------------------------
       - EXPL-A-2005-003 exploitlabs.com Advisory 032 -
------------------------------------------------------------
                                 - E-Data -

OVERVIEW
========
E-Data 2.0 is a powerful e-mail directory and management application

that

will enhance your web site by letting visitors add, change and delete

their

personal information to a directory

AFFECTED PRODUCTS
=================
E-Data 2.0
http://www.adventia.com/

DETAILS
=======
E-Data has user supplied input fields in search and in the "add to

database"

functions. By inputting a query keyword followed by XSS style script,

future

users may search and find the keyword that contains the malicious xss.
The XSS is of a persistant nature as it is stored in the applications
database.

SOLUTION
========
none
1st contact: March 16, 2005 ( no reply )

PROOF OF CONCEPT
================
The vendor has a demo site, PoC is in the database, just goto the "demo

url"

and enter "qwerty" in search box demo url:
http://www.adventia.com/cgi-bin/dir.pl

CREDITS
=======
This vulnerability was discovered and researched by Donnie Werner of
exploitlabs

web: http://exploitlabs.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: