mailing list archives
Re: FleXiBle Development Script Remote Command Exucetion And XSS Attacking
From: "Steven M. Christey" <coley () mitre org>
Date: Wed, 5 Apr 2006 01:23:24 -0400 (EDT)
I have some questions about this report.
This web site requires a login. Even the front page is not
FleXiBle Development (FXB)
Is this a product, service, or a single web site? There is very
little information in Google.
//Defining some functions and including them
These require/include statements do not use any variables, so the
paths cannot be controlled by a remote attacker.
How does this "evilcode.txt" get into FXB? Do you upload it? Or do
you use directory traversal like ".." or "/abs/path"? Or do you do a
remote file inclusion?
Finally, your subject line says there is XSS, but your report does not
say anything about XSS. Is there also an XSS problem here?