Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:24399
HistoryAug 08, 2010 - 12:00 a.m.

Vulnerabilities in Dataface Web Application Framework

2010-08-0800:00:00
vulners.com
11
JSON

Hello Bugtraq!

I want to warn you about security vulnerabilities in Dataface Web
Application Framework.

Advisory: Vulnerabilities in Dataface Web Application Framework

URL: http://websecurity.com.ua/4276/

Affected products: Dataface 1.0.

Timeline:

04.11.2009 - found vulnerabilities.
10.06.2010 - announced at my site.
11.06.2010 - informed developer.
11.06.2010 - developer fixed these vulnerabilities in the latest version of
framework and at his site.
06.08.2010 - disclosed at my site.

Details:

These are Cross-Site Scripting and Full path disclosure vulnerabilities.

XSS:

http://site/admin.php?-table=pages&-search=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&-action=search_index

Full path disclosure:

http://site

Variable DATAFACE_PATH in body of all pages of the site.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

JSON