mailing list archives
Cross Site Scripting Vulnerability in Zoho Virtual Office
From: ss_team <ssteam.pl () gmail com>
Date: Mon, 17 Jul 2006 14:29:08 +0200
We have discovered a vunerability in Zoho Virtual Office.
Malformed HTML message could lead to XSS Attack. It can cause a cookie
theft leading to session hijacking.
browser's frame into evil script on attacker's server.
evil.php file contains code which saves cookie variables on evil server.
attacker can prepare cookie and hijack the user's session.
Affected version: 3.2 Build 3210 (latest), previous versions might
also be vulnerable.
Vendor was contacted 72 hours ago.
marc & shb
- Cross Site Scripting Vulnerability in Zoho Virtual Office ss_team (Jul 18)