<a href="http://g.adspeed.net/ad.php?do=clk&zid=14678&wd=728&ht=90&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=14678&wd=728&ht=90&pair=as" alt="i" width="728" height="90"/></a>

Nmap Security Scanner

Docs
Security Lists

Full Disclosure

More
Security Tools

Packet crafters

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

edgeos network security services platform

Bugtraq: Centra 7 XSS Exploit

Centra 7 XSS Exploit

From: Clorox <elac2k_at_hotmail.com>
Date: 12 Apr 2005 19:05:31 -0000

('binary' encoding is not supported, stored as-is) Centra is a program used by businesses and colleges, it allows users to stream microsoft office and other applications over the web in a nice enviroment with voip options. However on root directory when you go in to enroll for a session if you create or modify your username, first name, or last name to contain any html code it will be ran. For instance:

<script>alert("hi");</script> will result in a popup box that says hi

You can put iframes in the portal to keep people from being able to access the application.

FIX: Use the cleartext function to strip fields that users have input to.

- Clorox
http://g00ns.com
http://g00ns-forums.com
Received on Apr 12 2005

This message: [ Message body ]
Next message: IRM Advisories: "IRM 011: Sygate,Security Agent (Sygate Secure Enterprise) Fail Open DoS"
Previous message: iDEFENSE Labs: "iDEFENSE Security Advisory 04.12.05: Microsoft Internet Explorer DHTML Engine Race Condition Vulnerability"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]