Home page logo
/

bugtraq logo Bugtraq mailing list archives

XSS in Authoria HR Suite
From: Max <rusmir () tula net>
Date: Wed, 9 Oct 2002 14:31:08 -0700 (PDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Title:
======

Cross-site scripting vulnerability (XSS) in Authoria HR suite

Vulnerable Application:
=======================

Authoria HR Suite (http://www.authoria.com) is HR information management
application used by many large enterprises.

Details:
========

Due to the unefficient URL filtering, which assumes that if you enclose
something in quites, it will be a string value, it is possible to inject
a javascript in the URL.

The fact that all unknown parameters are passed to string variables inside
<script> tag makes it even easier to exploit.

Demonstration:
==============

https://your.site.com/path.to/cgi-bin/athcgi.exe?command=showpage&script='],[0,0]];alert('Hello%20there!');a=[['

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE9pKAg8mCpXsrcXpwRAn09AJ98PCYsK+XkzdZG/BmYz6dK26QhrgCdGg5B
GkqaU/8qIj8/unR8YxEI8Ns=
=TNOO
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
  • XSS in Authoria HR Suite Max (Oct 09)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault