[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

EasyCMS vulnerable to XSS injection.

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: EasyCMS vulnerable to XSS injection.
From: preben@xxxxxxxxxxx
Date: 29 Jan 2006 20:42:40 -0000

The Norwegian web-publishing system EasyCMS (www.easycms.no) contains multiple 
input flaws letting users conduct successful XSS attacks. Both in the admin 
section, and the webpage that uses the system is vulnerable to XSS.

It does not filter script tags and simple scripting like 
<script>alert(?XSS?)</script> will work. Nearly all of the systems input boxes 
is open for scripting tags.

Furthermore it?s open for directory browsing ( http://<site>/images ).
The developers has been notified, and working on patching the system.

Please credit to: Preben Nyløkken

Prev by Date: TSLSA-2006-0004 - multi
Next by Date: Re: [Full-disclosure] [ GLSA 200601-15 ] Paros: Default administrator password
Previous by thread: TSLSA-2006-0004 - multi
Next by thread: [SECURITY] [DSA 951-2] New trac packages fix SQL injection and cross-site scripting
Index(es):
- Date
- Thread