full-disclosure-uk May 2007 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] Cross-site Scripting in EQ

[Full-disclosure] Cross-site Scripting in EQDKP 1.3.2c and prior

From: kefka <kefka_at_nospam>
Date: Sat May 12 2007 - 22:48:03 GMT
To: full-disclosure@lists.grok.org.uk


In listmembers.php, $show fails to properly sanitize user-supplied input.

It's non persistent XSS :-/

Example:
$path-to-eqdkp/listmembers.php?show=%22%3E%3Cplaintext%3E

kefka
kefka [at] kevinbeardsucks.com



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/