[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: phpinfo() XSS Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: phpinfo() XSS Vulnerability
From: Salvatore Fresta aka Drosophila <drosophilaxxx@xxxxxxxxx>
Date: Mon, 8 Mar 2010 22:29:50 +0100

I tested it with php 5.1.6 and 5.2.6 and seems not work. The
request_uri's content is encoded before to be printed:

/phpinfo.php?+%3CScRipT%3Ealert(0111001101100101011000110111010101110010011010010111010001111001);%3C/sCrIpT%3E+

-- 
Salvatore Fresta aka Drosophila
http://www.salvatorefresta.net
CWNP444351

References:
- phpinfo() XSS Vulnerability
  - From: info

Prev by Date: rPSA-2010-0013-1 gzip
Next by Date: Croogo CMS 1.2 Cross Site Scripting Vulnerabilities
Previous by thread: phpinfo() XSS Vulnerability
Next by thread: [XSS] i found a xss on "page" parameter in "eccredit.php" in Dvbbs < 8.3.0
Index(es):
- Date
- Thread