Computer Security

Security Advisory: Cross-Site Scripting vulnerability in eCaptcha
back  news / advisories / forum / software / advertising / search / exploits  forward
[EN] securityvulns.ru
no-pyccku



Related information

  Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

  FlatPress 0.804-0.812.1 Local File Inclusion to Remote Command  Execution

From:MustLive <mustlive_(at)_websecurity.com.ua>
Date:30.09.2009
Subject:Cross-Site Scripting vulnerability in eCaptcha

Hello Bugtraq!

I want to warn you about Cross-Site Scripting vulnerability in eCaptcha
(plugin for E107). I found this hole in July 2008 and disclosed it at
25.09.2008.

XSS:

POST query at page
http://site/path/ecaptcha/?key=b7c9bf99e763252105f047a5ca5681d0

<script>alert(document.cookie)</script>
in field: Type Here.

Working key (ecaptcha_key) is required, which can be retrieved by script.
Every key works only for one time.

Exploit:

http://websecurity.com.ua/uploads/2008/eCaptcha%20XSS.html

I mentioned about this vulnerability at my site
(http://websecurity.com.ua/2253/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod

 
 


Rating@Mail.ru
test server