TUCoPS :: Web :: Blogs :: bx3799.htm

Maran PHP Blog Xss By Khashayar Fereidani
Maran PHP Blog Xss By Khashayar Fereidani
Maran PHP Blog Xss By Khashayar Fereidani


----------------------------------------------------------------=0D
=0D
Script : Maran PHP Blog=0D
=0D
Type : XSS (Pasive)=0D
=0D
Method : GET=0D
=0D
Alert : Medium=0D
=0D
----------------------------------------------------------------=0D
=0D
Discovered by : Khashayar Fereidani a.k.a. Dr.Crash=0D
=0D
My Offical Website : HTTP://FEREIDANI.IR=0D 
=0D
Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com=0D
=0D
----------------------------------------------------------------=0D
=0D
Khashayar Fereidani Offical Website : HTTP://FEREIDANI.IR=0D 
=0D
----------------------------------------------------------------=0D
=0D
Script Download : http://www.maran.pamil-visions.com/download2.php?dir=maranphp&file=maranblog.zip=0D 
=0D
----------------------------------------------------------------=0D
=0D
This Is One Xss Vulnerability in ID Variable .=0D
Attacker Can Execute JavaScript Code And Get Admin Cookie And Send new article with admin cookie .....=0D
=0D
Xss Address : http://Example/comments.php?id=%3E%3C%3E%27%3Cscript%3Ealert(document.cookie)%3C/script%3E=0D 
=0D
=0D
----------------------------------------------------------------=0D
=0D
Solution : Edit Source Code And Filter id Variable With htmlspecialchars() function in comments.php .......=0D
=0D
line 32 : '>
=0D
=0D
Change It To : '>
=0D
=0D
----------------------------------------------------------------=0D
=0D
                        Tnx : God=0D
=0D
HTTP://IRCRASH.COM=0D 
=0D
----------------------------------------------------------------

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH