[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: singapore v0.9.11 cross site scripting and path disclosure
From: thegreatone2176 () yahoo ! com
Date: 2005-06-12 21:16:24
Message-ID: 20050612211624.32412.qmail () securityfocus ! com
[Download RAW message or body]
Because of singapores heavy use of classes it has multiple path disclosure \
occurences. The following pages all produced class related errors when navigating \
directly to them in your browser.
gallery/includes/admin.class.php
templates/admin_default/ all the .tpl.php files
templates/default/ all the the .tpl.php files
Also the gallery $_GET parameter on www.site.com/index.php is not properly checked \
leading to cross site scripting. We used \
http://www.site.com/index.php?gallery=%3Cimg%20onmouseover=%22alert('hi')%22%20style=% \
22position:%20absolute;%20top:0px;%20left:%200px;%20width:%201000%;%20height:%201000%;%22%3E
and other similar scripts to produce the xss.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic