[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xss] i found a Cross Site Scripting Vulnerability about Discuz! 'uid' Parameter

To: <bugtraq-owner@xxxxxxxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: [xss] i found a Cross Site Scripting Vulnerability about Discuz! 'uid' Parameter
From: lis cker <liscker@xxxxxxxxxxx>
Date: Mon, 1 Mar 2010 16:56:37 -0800

i'm sorry, i just write some real sites to confirm the truth of my found, now , 
i remove it. and thanks for you.
 
 
 
 
Discuz! is prone to an cross-site scripting vulnerability because the 
application fails to properly sanitize user-supplied input. An attacker may 
leverage this issue to execute arbitrary script code in the browser of an 
unsuspecting user in the context of the affected site. This may allow the 
attacker to steal cookie-based authentication credentials and to launch other 
attacks. 
Discuz! 6.0.0 is vulnerable; other versions may also be affected Discuz! 
 
Home Page : http://www.discuz.com/  
 
i found a xss on "uid" parameter in "eccredit.php" in discuz! 6.0.0 , it's 
"eccredit.php?action=list&uid="  
 
for example:
http://www.example.com:80/eccredit.php?action=list&uid=";><script>alert(/Liscker/);</script>
 
 
 
 
 
Liscker@xxxxxxxxxxx
2010.3.2                                          
_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
http://clk.atdmt.com/GBL/go/201469230/direct/01/

Prev by Date: [ MDVSA-2010:052 ] sudo
Next by Date: Re: Re: Circumventing Critical Security in Windows XP
Previous by thread: [ MDVSA-2010:052 ] sudo
Next by thread: Todd Miller Sudo local root exploit discovered by Slouching
Index(es):
- Date
- Thread