Home page logo

bugtraq logo Bugtraq mailing list archives

usd250 helpdesk XSS vulnerabily.
From: Joseph.giron13 () gmail com
Date: 22 Oct 2007 22:37:20 -0000


Within the helpdesk utility usd250, an XSS in the comments field is possible. 
The comments strip script tags and replace them with (not allowed), but
script tags dont need to be in place for XSS. Something along the lines of...
<b onmouseover="window.alert('omghax')">some text</b> Suffices. 

The fix is to use htmlentities() or htmlspecialchars() to filter ALL html
from user input.

  By Date           By Thread  

Current thread:
  • usd250 helpdesk XSS vulnerabily. Joseph . giron13 (Oct 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]