Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Professional Home Page Tools Login Script Cross Site Scripting Vulnerabi

from [tamriel] Network Security [Permanent Link]
Subject: Professional Home Page Tools Login Script Cross Site Scripting Vulnerabilities
Date: 25 Jul 2006 20:15:58 -0000 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

      Advisory: Professional Home Page Tools Login Script Cross Site Scripting 
Vulnerabilities
  Release Date: 2006/07/25
 Last Modified: 2006/07/25
        Author: Tamriel [tamriel at gmx dot net]
   Application: Professional Home Page Tools Login Script
          Risk: Low
 Vendor Status: contacted
   Vendor Site: www.php-tools.eu


 Overview:

   Quote from wwww.php-tools.eu

   "Dieses Login Script bietet Ihnen einfache Features, um Ihre Webinhalte zu 
schuetzen. 
    Die Registrierung kann deaktiviert werden, wenn Sie nicht möchten, dass 
sich weitere
    Benutzer anmelden. Das integrierte Content Management System bietet Ihnen 
die 
    Moeglichkeit Webinhalte nur für eingeloggte Benutzer sichbar zu machen."


 Details:

      In the register formular only the email adress will be checked. In all 
other fields
      you can insert HTML tags or something like that.


 Version note:

      I havent found some information about the actual version of this script, 
so take a look on the
      md5 hashes of my proofed files:

      f598cc788dd1a45677cf7cb6ee6d3b5b functions.php
      ba2a2c5792cdd77151341c5fa78ecbfc index.php
      c2e3e52bcd02cfc1103e79aa14e721ce main.php


 Solution:

      Take a view on PHP's htmlentities function.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3

iD8DBQFExnfjqBhP+Twks7oRAtMrAJ4n0Mqn+PAV2IBw4+9RSWNxAh5zcACghGoS
kaVRqWxPicQ6mIrzgGFaLDw=
=MniK
-----END PGP SIGNATURE-----
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Professional Home Page Tools Login Script Cross Site Scripting Vulnerabilities, tamriel <=
Previous by Date:  PHP-Auction SQL injection, l2odon
Next by Date:  wwwThreads XSS, l2odon
Previous by Thread:  PHP-Auction SQL injection, l2odon
Next by Thread:  wwwThreads XSS, l2odon
Indexes:  [Date] [Thread] [Top] [All Lists]