Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22538
HistorySep 30, 2009 - 12:00 a.m.

Cross-Site Scripting vulnerability in eCaptcha

2009-09-3000:00:00
vulners.com
11
JSON

Hello Bugtraq!

I want to warn you about Cross-Site Scripting vulnerability in eCaptcha
(plugin for E107). I found this hole in July 2008 and disclosed it at
25.09.2008.

XSS:

POST query at page
http://site/path/ecaptcha/?key=b7c9bf99e763252105f047a5ca5681d0

<script>alert(document.cookie)</script>
in field: Type Here.

Working key (ecaptcha_key) is required, which can be retrieved by script.
Every key works only for one time.

Exploit:

http://websecurity.com.ua/uploads/2008/eCaptcha&#37;20XSS.html

I mentioned about this vulnerability at my site
(http://websecurity.com.ua/2253/&#41;.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

JSON