|
Advisory:
|
FreeSMS Multiple Cross-site Scripting Vulnerabilities
|
|
Advisory ID:
|
SSCHADV2011-028
|
|
Author:
|
Stefan Schurtz
|
|
Affected Software:
|
Successfully tested on FreeSMS 2.1.2 |
|
Vendor URL:
|
|
|
Vendor Status:
|
informed
|
|
CVE-ID:
|
-
|
======================
Vulnerability Description:
======================
FreeSMS (Free Student Management System) is prone to multiple Cross-Site scripting vulernabilities
Continue reading "SSCHADV2011-028 - FreeSMS Multiple Cross-site Scripting Vulnerabilities"
On my blog are some vulnerabilities called "Cross-site scripting" or "XSS", but what exactly is a Cross-site scripting?
A Cross-site scripting attack is a type of a html injection and the problem is always when a web application accept user input and generates the output without validating or encoding it. This flaw makes it possible for an attacker to inject a malicious script – like javascript – to access cookies, session tokes or some other sensitive information stored in the user’s browser, because it thinks the script came from a trusted source.
They are some different possibilties to identify XSS vulnerabilities:
- use a web security scanner, like xsser, arachni, Nikto …
- test/review the code for places with user input which possibly ends into HTML output (contact forms, search forms …)
Continue reading "Cross-site scripting (XSS) - What's that and how to identify them?"
| Advisory: |
KaiBB 2.0.1 XSS and SQL Injection vulnerabilities
|
| Advisory ID: |
SSCHADV2011-027
|
| Author: |
Stefan Schurtz
|
| Affected Software: |
Successfully tested on KaiBB 2.0.1 |
| Vendor URL: |
|
| Vendor Status: |
informed |
| CVE-ID: |
- |
======================
Vulnerability Description:
======================
KaiBB 2.0.1 is prone to XSS and SQL Injection vulnerabilities
Continue reading "SSCHADV2011-027 - KaiBB 2.0.1 XSS and SQL Injection vulnerabilities"
| Advisory: |
openEngine 2.0 ‘key’ Blind SQL Injection vulnerability
|
| Advisory ID: |
SSCHADV2011-026 |
| Author: |
Stefan Schurtz
|
| Affected Software: |
Successfully tested on openEngine 2.0 100226 |
| Vendor URL: |
|
| Vendor Status: |
informed |
| CVE-ID: |
- |
======================
Vulnerability Description
======================
The ‘key’ parameter in openEngine 2.0 is prone to a Blind SQL Injection
Continue reading "SSCHADV2011-026 - openEngine 2.0 'key' Blind SQL Injection vulnerability"
|
Advisory:
|
Contao 2.10.1 Cross-site scripting vulnerability
|
|
Advisory ID:
|
SSCHADV2011-025
|
|
Author:
|
Stefan Schurtz
|
|
Affected Software:
|
Successfully tested on Contao 2.10.1
|
|
Vendor URL:
|
|
|
Vendor Status:
|
fixed
|
|
CVE-ID:
|
|
======================
Vulnerability Description:
======================
Contao 2.10 is prone to a Cross-site scripting vulnerability
Continue reading "SSCHADV2011-025 - Contao 2.10.1 Cross-site scripting vulnerability"
|
Advisory:
|
phpFK 7.2.5 Multiple Cross-site Scripting vulnerabilities
|
|
Advisory ID:
|
SSCHADV2011-022
|
|
Author:
|
Stefan Schurtz
|
|
Affected Software:
|
Successfully tested on phpFK 7.2.5 |
|
Vendor URL:
|
|
|
Vendor Status:
|
informed
|
|
CVE-ID:
|
-
|
======================
Vulnerability Description:
======================
phpFK 7.2.5 is prone to multiple Cross-site scripting vulnerabilities
Continue reading "SSCHADV2011-022 - phpFK 7.2.5 Multiple Cross-site Scripting vulnerabilities"