|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Max (rusmir_at_tula.net)
Date: Wed Oct 09 2002 - 16:31:08 CDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Title:
======
Cross-site scripting vulnerability (XSS) in Authoria HR suite
Vulnerable Application:
=======================
Authoria HR Suite (http://www.authoria.com) is HR information management
application used by many large enterprises.
Details:
========
Due to the unefficient URL filtering, which assumes that if you enclose
something in quites, it will be a string value, it is possible to inject
a javascript in the URL.
The fact that all unknown parameters are passed to string variables inside
<script> tag makes it even easier to exploit.
Demonstration:
==============
https://your.site.com/path.to/cgi-bin/athcgi.exe?command=showpage&script='],[0,0]];alert('Hello%20there!');a=[['
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
iD8DBQE9pKAg8mCpXsrcXpwRAn09AJ98PCYsK+XkzdZG/BmYz6dK26QhrgCdGg5B
GkqaU/8qIj8/unR8YxEI8Ns=
=TNOO
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]