Computer Security

Security Advisory: Youtube Clone Xross Site Scripting (load_message.php)
back  news / advisories / forum / software / advertising / search / exploits  forward
[EN] securityvulns.ru
no-pyccku



Related information

  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

  Wordpress Pluging wp-footnotes 2.2 (admin_panel.
php) Multiple Vulnerabilites

  phpShop <= v 0.8.1 Remote SQL injection / Filter Bypass

  ITech Classifieds Multiple Remote  Vulnerabilities

  Domain Trader v2.0 Xss Vulnerable

From:ciucciamilcalzino_(at)_ciuccazzamelo.it <ciucciamilcalzino_(at)_ciuccazzamelo.it>
Date:03.02.2008
Subject:Youtube Clone Xross Site Scripting (load_message.php)

Discovered by Smasher
CMS: Youtube Clone Script
Site: http://warwolfz.altervista.org
WarWolfZ Security Crew.

Hello i don't know if this vuln is already out , but i've searched in securityfocus and is not present.

Bug found in load_message.php at line 4:

<?php echo $lang['please_wait']; ?>

Ex: http://localhost/youtube/siteadmin/editor_files/includes/load_message.
php?lang[please_wait]=[XSS]

Fix:

<?php echo htmlspecialchars($lang['please_wait']); ?>

Greetz.
Smasher.
About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
 


Рейтинг@Mail.ru