Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: CMS / Portals :: tb10366.htm

toendaCMS 1.5.3 XSS



CVE-2007-1872: Cross site scripting in toendaCMS 1.5.3
CVE-2007-1872: Cross site scripting in toendaCMS 1.5.3



--nextPart7953917.25aIEm7tcP
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Cross site scripting in toendaCMS 1.5.3

security advisory

References:
http://www.toendacms.com/ 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1872 

Description:
 Cross site scripting describes attacks that allow to insert malicious
 html or javascript code via get or post forms. This can be used to steal
 session cookies.
 toendacms is a content management system. The search function can be used
 to inject javascript code.

Workaround/Fix:
 There's no vendor fix.
 Vendor has been contacted 2007-03-11 and replied that they were working on
 the issue.

Sample Code:
action="http://toendainstallation/" method="post">
CVE Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-1872 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. Credits and copyright: This vulnerability was discovered by Hanno Boeck of schokokeks.org webhosting. It's licensed creative commons attribution: http://creativecommons.org/licenses/by/3.0/ Hanno Boeck, 2007-04-12, http://www.hboeck.de --nextPart7953917.25aIEm7tcP Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (GNU/Linux) iD8DBQBGHXKNr2QksT29OyARAp3BAJ9c0DUxXFrWdM2kcrXbCeuC66HyTQCfa/th DLedMGoMYaGNPKKzcnKhTCE=o/Tl -----END PGP SIGNATURE----- --nextPart7953917.25aIEm7tcP--


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH