Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: SimpBook "message" Remote Cross-Site Scripting Vulnerability
From: Mbyte Security <mbytesecurity.org () gmail com>
Date: Fri, 6 Jan 2006 21:50:41 +0100

Listen little bastard ...  why dont you post the afected piece of code???
this "technical" description is not so technical ... its sucks! (like you)

And what kinda XSS allows "arbitrary execution of script code in the
security contextt of an affected website"  Did you ever known the meaning of
"cross site scripting" and how is the relation betwn webserver and
browser...


I wanna attach a pic of you and another of pan-zorra

--
Megabyte
http://mbytesecurity.org
El Dios de la Red
Saludos a mi ex-zorra Pandora, que me pone cuernos
Zeus,Cairo,Redpoint,x0p0x and all lame band



On 1/6/06, zeus olimpusklan <zeus.olimpusklan () gmail com> wrote:


###########################################################################
# Advisory #5 Title: SimpBook "message" Remote Cross-Site Scripting
Vulnerability
#
#
# Author: 0o_zeus_o0
# Contact: zeus () diosdelared com
# Website: Elitemexico.org
# Date: 05/01/2006
# Risk: High
# Vendor Url:      http://codegrrl.com/scripts/simpbook/
# Affected Software: SimpBook
# Non Affected:
#
# We Are: olimpus klan team
#
#TECHNICAL INFO
#================================================================
#
#An input validation vulnerability in SimpBook has been reported, which
can be exploited
#
#by remote users to conduct cross-site scripting attacks.
#
#User-supplied input passed to the "message" field isn't sanitised before
being stored in
#
#the guestbook. This can be exploited to execute arbitrary script code in
the security context
#
#of an affected website, as a result the code will be able to access any
of the target user's
#
#cookies, access data recently submitted by the target user via web form
to the site, or take
#
#actions on the site acting as the target user.
#
#Successful exploitation requires that "html_enable" is set to "on" in "
config.php".
#
#This is set to"on" in the default installation.
#
#Solution:
#
#Set "html_enable" to "off" in " config.php" or edit the source code to
ensure that input is properly sanitised.
#
#
#VULNERABLE VERSIONS
#================================================================
#SimpBook version 1.0. Other versions may also be affected.
#
#
#================================================================
#Contact information
#0o_zeus_o0
#zeus () diosdelared com
#www.olimpusklan.org
#================================================================
#greetz: lady fire, fraude, xoxo, El_Mesias

##############################################################################


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault