[SCSA-008] Cross Site Scripting & Script Injection Vulnerability in PY-Livredor

From: Grégory (gregory.lebras@security-corp.org)
Date: Sun Mar 02 2003 - 13:22:04 PST

Next message: Mandrake Linux Security Team: "MDKSA-2003:027 - Updated tcpdump packages fix denial of service vulnerabilities"

Previous message: Trish Lynch: "Re: Ecardis Password Reseting Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) ________________________________________________________________________ Security Corporation Security Advisory [SCSA-008] ________________________________________________________________________ PROGRAM: PY-Livredor HOMEPAGE: http://www.py-scripts.com http://www.scripts-php.com VULNERABLE VERSIONS: v1.0 ________________________________________________________________________ DESCRIPTION ________________________________________________________________________ PY-Livredor is an easy guestbook script using Php4 and MySql with an administration which allow messages deletion. DETAILS ________________________________________________________________________ A Cross-Site Scripting vulnerability have been found in PY-Livredor which allow attackers to inject script codes into the guestbook and use them on clients browser as if they were provided by the website. This Cross-Site Scripting vulnerability are found in the page for posting messages (index.php) An attacker can input specially crafted links and/or other malicious scripts. EXPLOIT ________________________________________________________________________ A vulnerability was discovered in the page for posting messages, at this adress : http://[target]/livredor/index.php The vulnerability is at the level of the interpretation of the "titre", "Votre pseudo", "Votre e-mail", "Votre message" fields. Indeed, the insertion of a hostile code script in this field makes it possible to a malicious user to carry out this script on the navigator of the visitors. The hostile code could be : [script]alert("Cookie="+document.cookie)[/script] (open a window with the cookie of the visitor.) (replace [] by <>) SOLUTIONS ________________________________________________________________________ No solution for the moment. VENDOR STATUS ________________________________________________________________________ The vendor has reportedly been notified. LINKS ________________________________________________________________________ http://www.security-corp.org/index.php?ink=4-15-1 Version Française : http://www.security-corp.org/advisories/SCSA-008-FR.txt ------------------------------------------------------------ Grégory Le Bras aka GaLiaRePt | http://www.Security-Corp.org ------------------------------------------------------------

Next message: Mandrake Linux Security Team: "MDKSA-2003:027 - Updated tcpdump packages fix denial of service vulnerabilities"
Previous message: Trish Lynch: "Re: Ecardis Password Reseting Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Mar 03 2003 - 11:15:28 PST