[27252] in bugtraq
Postnuke XSS fixed
daemon@ATHENA.MIT.EDU (Muhammad Faisal Rauf Danka)
Wed Oct 2 15:02:43 2002
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0
Date: Tue, 1 Oct 2002 21:10:21 -0700 (PDT)
From: Muhammad Faisal Rauf Danka <mfrd@attitudex.com>
To: bugtraq@securityfocus.com
Reply-To: mfrd@attitudex.com
Message-Id: <20021002041021.1E4EA3ABE@sitemail.everyone.net>
on 26th Sep the following url:
http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=<script>alert(document.cookie);</script>
used to give Alert PopUp and
Error:
DB Error: getArticles: 1064: You have an error in your SQL syntax near '='
at line 23
now it gives:
Sorry - $HTTP_GET_VARS contains javascript...
Prompt fix by PostNuke team, great work Keep it up! :)
Regards
--------
Muhammad Faisal Rauf Danka
Head of GemSEC / Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk
Key Id: 0x784B0202
Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B
784B 0202
_____________________________________________________________
---------------------------
[ATTITUDEX.COM]
http://www.attitudex.com/
---------------------------
_____________________________________________________________
Select your own custom email address for FREE! Get you@yourchoice.com w/No Ads, 6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag
