Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] Plesk 7 Cross-Site Scripting

from [Andrew Smith] Network Security [Permanent Link]
Subject: [Full-Disclosure] Plesk 7 Cross-Site Scripting
Date: Thu, 23 Dec 2004 22:58:05 +0000 
Vendor: SW-Soft

URL: http://www.sw-soft.com/

Version: Plesk 7.0.0

Risk: Cross-Site Scripting

Description: Plesk is comprehensive server management software
developed specifically for the Hosting Service Industry with the
assistance of Web hosting professionals. Time tested tough in real
world hosting environments this award winning "control panel" software
has proven itself for years to be simply the best.
Cross Site Scripting:
There's a cross-site scripting vulnerability in the login page for
Plesk 7, another case of improperly secured POST data.
An attacker can inject data into the page through the login_name
variable on the login page ("login_up.php3").
An example can be found here: http://www.wheresthebeef.co.uk/XSS/plesk.7.html
The CSS isn't done through a GET request, it is done through POST and
can be exploited in the form of a form.

Solution:
The vendor hasn't replied to any of my e-mails but they do appear to
have fixed this problem.
*Hello SW-Soft, if you're watching!*


-- 
zxy_rbt2
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-Disclosure] Plesk 7 Cross-Site Scripting, Andrew Smith <=
Previous by Date:  [VulnWatch] IBM DB2 generate_distfile buffer overflow vulnerability (#NISR2122004L), NGSSoftware Insight Security Research
Next by Date:  [Full-Disclosure] Re: [USN-52-1] vim vulnerability, Liu Die Yu
Previous by Thread:  [VulnWatch] IBM DB2 generate_distfile buffer overflow vulnerability (#NISR2122004L), NGSSoftware Insight Security Research
Next by Thread:  [Full-Disclosure] Cross-Site Scripting - an industry-wide problem, mikx
Indexes:  [Date] [Thread] [Top] [All Lists]