Ads HTML injection and XSS (Cross Site Scripting) Tuesday, 09 May 2006 Script: OpenFAQ Version: 0.4.0 previous version probably too. Language: PHP Problem: HTML injection and XSS (Cross Site Scripting) Vendor: http://sourceforge.net/projects/openfaq Discovered by: Kamil K3 Sienicki Description: OpenFAQ is a PHP application that lets Webmasters administrate a Frequently Asked Questions section on their Web site. It has an admin section for easily adding questions and answers and editing the general configuration. Problem: A remote user can send via form a specially crafted data. When admin try to validate questions in administration panel, specially crafted data will be executed. Example exploit: value=""> Example fix: file validate.php 35 while ($row = mysql_fetch_array($get_new)) { 36 echo "".htmlspecialchars($row[question])." ( href=delete.php?type=n&id=$row[id]>$lang[delete], href=edit.php?type=n&id=$row[id]>$lang[editpublish]) "; 37 } 38 } -- Kamil K3 Sienicki   < Prev   Next > [ Back ]

Main Menu SpamAlerts | Windows | Linux | Tutorials | Excell | WhitePapers | News | Spam | Virus Windows Focus VNews Vulnerability Hacking Sql Injection map Downloads Affiliates Online Store Free Ringtones Seo Directory IWebListin Jobs in India Freshers Jobs listings. Winkeyfinder

Copyright 2005-2007 SpamAlertz.com, Content on this site is From variuos other emails, and Advisories.