|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
singapore v0.9.11 cross site scripting and path disclosure
thegreatone2176
yahoo.com
Date: Sun Jun 12 2005 - 16:16:24 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Because of singapores heavy use of classes it has multiple path disclosure occurences. The following pages all produced class related errors when navigating directly to them in your browser.
gallery/includes/admin.class.php
templates/admin_default/ all the .tpl.php files
templates/default/ all the the .tpl.php files
Also the gallery $_GET parameter on www.site.com/index.php is not properly checked leading to cross site scripting. We used http://www.site.com/index.php?gallery=%3Cimg%20onmouseover=%22alert('hi')%22%20style=%22position:%20absolute;%20top:0px;%20left:%200px;%20width:%201000%;%20height:%201000%;%22%3E
and other similar scripts to produce the xss.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]