Информационная безопасность
[RU] switch to English

Дополнительная информация

  Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)

  Security Advisory for Bugzilla 3.2.8, 3.4.8, 3.6.2, and 3.7.3

  Zen Cart 1.3.9h Local File Inclusion Vulnerability

  Adsoft Remote Sql Injection Vulnerability

  SQL injection in SweetRice CMS

From:High-Tech Bridge Security Research <advisory_(at)_htbridge.ch>
Date:4 ноября 2010 г.
Subject:XSS in Textpattern CMS

Vulnerability ID: HTB22672
Reference: http://www.htbridge.ch/advisory/xss_in_textpattern_cms.html
Product: Textpattern CMS
Vendor: Team Textpattern  ( http://textpattern.com/ )
Vulnerable Version: 4.2.0
Vendor Notification: 21 October 2010
Vulnerability Type: XSS (Cross Site Scripting)
Status: Fixed by Vendor
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)

Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application when comments to articles allowed.
Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.

An attacker can use browser to exploit this vulnerability.
Just add comment to any article:

Nice site. !http://123"onerror="javascript:document.location.href='s="fixed">http://htbridge.ch';"!
Solution: Upgrade to the most recent version

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород