Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: gcsb (gcsbnzyahoo.com)
Date: Sat Apr 20 2002 - 02:51:53 CDT
PostCalendar is an add-on for the popular PostNuke
content management system. It provides a calender that
lets users add events to.
A user can add an event with unchecked HTML tags in.
This includes the <script> tag which allows an
attacker to steal cookies, redirect the site and much
As a logged in user, enter a bogus calendar entry
WITHOUT any html. Hit the preview button. On the
screen you get from that, alter your post to contain
tags. Hit submit.
will execute. (the calander block is not affected by
this, only the main pages).
Vendor notified 19/Apr/2002 21:19 PDT. Initial
responce recieved 20 Apr 2002 01:41 PDT (very nice!).
Patch sent to me a few hours later. (Yahoo has it's
times in PDT, ah well). Cool vendor! Thanks dude!
Unsure of next version release, but asked vendor to
release patch if nothing else. Asked vendor if I could
include patch in advisory - but I think he went to
sleep (it was 3:30am his time)...:\
I'll include it anyhow, I'm sure he won't mind :) You
might want to check it doesn't break your site
though...i will take no responsibilty!!! :)
Greets to all the nz2600 peeps!
Disclaimer: I don't work for the GCSB, ok? :)
Do You Yahoo!?
Yahoo! Games - play chess, backgammon, pool and more
- application/gzip attachment: PostCalendar-3.02-patch.tar.gz