Home page logo

fulldisclosure logo Full Disclosure mailing list archives

pmwiki: persistent cross site scripting (XSS), CVE-2010-1481
From: Hanno Böck <hanno () hboeck de>
Date: Fri, 7 May 2010 14:30:09 +0200

pmwiki: persistent cross site scripting (XSS), CVE-2010-1481




The table feature of pmwiki is vulnerable to persistent cross site scripting 
(XSS). The value of the width-parameter is not proberly escaped on output, so 
one can put quotes in it. This makes it possible to use a JavaScript event 
handler inside the first table field to inject code.


|| " onMouseOver=alert(1) " ||test||

The vendor has been contacted, but has not replied to my report.

Disclosure Timeline

2010-04-19: Vendor contacted
2010-05-07: Published advisory


This vulnerability was discovered by Hanno Boeck, http://www.hboeck.de, of 
schokokeks.org webhosting.

Hanno Böck              Blog:           http://www.hboeck.de/
GPG: 3DBD3B20           Jabber/Mail:    hanno () hboeck de

http://schokokeks.org - professional webhosting

Attachment: signature.asc
Description: This is a digitally signed message part.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • pmwiki: persistent cross site scripting (XSS), CVE-2010-1481 Hanno Böck (May 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]