[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ZH2003-24SA (security advisory): ChitChat.NET XSS Vulnerability
- To: bugtraq@securityfocus.com
- Subject: ZH2003-24SA (security advisory): ChitChat.NET XSS Vulnerability
- From: G00db0y <G00db0y@zone-h.org>
- Date: 13 Aug 2003 16:03:33 -0000
ZH2003-24SA (security advisory): ChitChat.NET XSS Vulnerability
Published: 13 august 2003
Released: 13 august 2003
Name: ChitChat.NET
Affected Systems: 2.0
Issue: Remote attackers can inject XSS script
Author: G00db0y@zone-h.org
Vendor: http://clickcess.com/
Description
***********
Zone-h Security Team has discovered a flaw in ChitChat.NET v2.0 (and older
versions?).
"ChitChat.NET is an ASP.NET based discussion forum designed specifically
for SQL Server."
Details
*******
It's possibile to inject XSS script in the Name box and in the Topic Title
box.
For example try this:
Name: <script>alert(Zone-h1)</script>
Email address: test@test.com
Topic title: <script>alert(Zone-h)</script>
Message: www.Zone-h.org
Solution:
*********
The vendor has been contacted and a patch was produced.
Suggestions:
************
Filter the posting procedure.
G00db0y - www.zone-h.org admin
Original advisory here: http://www.zone-h.org/en/advisories/read/id=2882/