damianov.net Shoutbox XSS Vulnerability

Please view the original advisory here.

The free shoutbox script from damianov.net suffers from a XSS vulnerability.

Injecting arbitrary HTML and Java Script code is possible while adding a new
shout, no matter if HTML is allowed in the shoutsettings.php or not.

#1 Example: <SCRIPT src=some-script.js></SCRIPT>
#2 Example: <SCRIPT>alert("XSS")</SCRIPT>
#3 Example: <SCRIPT>alert(document.cookie)</SCRIPT>
#4 Example: <script>document.location.href="http://www.google.de"</script>

Solution: Simply edit the code and add filters.

May 13th, 2010 in XSS | tags: advisory, damianov.net shoutbox, html code injection, Security, vulnerability, XSS

You must be logged in to post a comment.

Ascii for Breakfast

Register here Blog about Xen, IT-Security, Linux and other stuff.

valentin@xenuser.org

Ascii for BreakfastSubscribe here (RSS)

damianov.net Shoutbox XSS Vulnerability

Leave a comment

Ascii for Breakfast

Recent Posts

Active projects

Blogroll

Archives

Tag cloud

Files ≈ Packet Storm

Exploit-DB updates

blog.xen.org

Author Links