Информационная безопасность
[RU] switch to English


Дополнительная информация

  Ежедневная сводка ошибок в Web-приложениях (PHP, ASP, JSP, CGI, Perl)

  [SA21207] SD Studio CMS SQL Injection Vulnerabilities

  [SA20852] AutoVue SolidModel Professional Buffer Overflow Vulnerability

  LinksCaffe 3.0 SQL injection/Command Execution Vulnerabilties

  [Full-disclosure] Professional Home Page Tools Login Script Cross Site Scripting Vulnerabilities

From:tamriel_(at)_gmx.net <tamriel_(at)_gmx.net>
Date:26 июля 2006 г.
Subject:[Full-disclosure] TP-Book <= 1.00 Cross Site Scripting Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

     Advisory: TP-Book <= 1.00 Cross Site Scripting Vulnerabilities
 Release Date: 2006/07/25
Last Modified: 2006/07/25
       Author: Tamriel [tamriel at gmx dot net]
  Application: TP-Book <= 1.00
         Risk: Low
Vendor Status: not contacted
  Vendor Site: tobias.kloy.googlepages.com


Overview:

  Quote from tobias.kloy.googlepages.com:

  "Das Gaestebuch verfuegt uber folgende Features:
   - Anpassbare Templates
   - Viele Systeme, um Dauerspammer auszuschlie?en
   - Admincontrol-Panel
   - Einfache Installation durch einen Wizard"


Details:

     In your guestbook posts the name will not be checked by the script.
     Attackers can so perform cross site scripting attacks.


Solution:

     Take a view on PHP's htmlentities function.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)

iD8DBQFExnoFqBhP+Twks7oRAvnvAJ93lO3W/o+PmtaTKitjw6qVxkXK0gCfR67W
af8OIcTNC9Ggkrwlk4QLyHo=
=sIc9
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород