bugtraq August 2007 archive
Main Archive Page > Month Archives  > bugtraq archives
bugtraq: PhpGedView login page multiple XSS

PhpGedView login page multiple XSS

From: <morin.josh_at_nospam>
Date: Mon Aug 27 2007 - 21:22:51 GMT
To: bugtraq@securityfocus.com
('binary' encoding is not supported, stored as-is)
Vendor Site: http://www.phpgedview.net
Version: 4.1
Common Path: yoursite.com/genealogy/login.php

Overview: Genealogy program which allows you to view and edit your genealogy on your website. It fails to sufficiently sanitize user-supplied input data in "User Name" text box leaving password blank and pressing the "Login" button, also web address XSS.

Example: 1.<html><font color="Red"><b>XSS</b></font></html> 2.yoursite.com/genealogy/login.php?login.php?action=login&username="><iframe> 3.yousite.com/genealogy/login.php?url=/index.php?JOSH="><iframe>

Discovered by: Joshua Morin