TUCoPS :: Web :: CMS / Portals :: tb10366.htm

toendaCMS 1.5.3 XSS
CVE-2007-1872: Cross site scripting in toendaCMS 1.5.3
CVE-2007-1872: Cross site scripting in toendaCMS 1.5.3

Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Cross site scripting in toendaCMS 1.5.3

security advisory


 Cross site scripting describes attacks that allow to insert malicious
 html or javascript code via get or post forms. This can be used to steal
 session cookies.
 toendacms is a content management system. The search function can be used
 to inject javascript code.

 There's no vendor fix.
 Vendor has been contacted 2007-03-11 and replied that they were working on
 the issue.

Sample Code:
action="http://toendainstallation/" method="post">
CVE Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-1872 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. Credits and copyright: This vulnerability was discovered by Hanno Boeck of schokokeks.org webhosting. It's licensed creative commons attribution: http://creativecommons.org/licenses/by/3.0/ Hanno Boeck, 2007-04-12, http://www.hboeck.de --nextPart7953917.25aIEm7tcP Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (GNU/Linux) iD8DBQBGHXKNr2QksT29OyARAp3BAJ9c0DUxXFrWdM2kcrXbCeuC66HyTQCfa/th DLedMGoMYaGNPKKzcnKhTCE=o/Tl -----END PGP SIGNATURE----- --nextPart7953917.25aIEm7tcP--

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986- AOH