Computer Security

Security Advisory: usd250 helpdesk XSS vulnerabily.
back  news / advisories / forum / software / advertising / search / exploits  forward
[EN] securityvulns.ru
no-pyccku



Related information

  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

  [Trick] VigileCMS All Versions DataMining Remote Hash Disclosure

  Multi Host Forum Pro phpbb & ipb Multiple Sql Injection

  TikiWiki <= 1.9.8.1 Cross Site Scripting / Local File Inclusion

  i-Gallery 3.4 bug crack password!

From:joseph.giron13_(at)_gmail.com <joseph.giron13_(at)_gmail.com>
Date:26.10.2007
Subject:usd250 helpdesk XSS vulnerabily.


http://www.oneorzero.com/

Within the helpdesk utility usd250, an XSS in the comments field is possible.
The comments strip script tags and replace them with (not allowed), but
script tags dont need to be in place for XSS. Something along the lines of...
<b onmouseover="window.alert('omghax')">some text</b> Suffices.

The fix is to use htmlentities() or htmlspecialchars() to filter ALL html
from user input.
About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod

 
 


Rating@Mail.ru
test server