Vulnerability details :
 
E-Data Personal Information Addition XSS 
 
     Fiche

Fiche créée le 2005-03-29 16:59:03, dernière mise à jour le 2008-03-02 23:51:02

E-Data contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the input fields upon submission to the creation of a new user. This could allow a user to create a specially crafted HTML and script code that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server when the malicious personal information is viewed, leading to a loss of integrity.


Go to: http:///cgi-bin/dir.pl Fill the form "Add Your Name" Input script code in fields "First Name:" or "Last Name:" for example. Script example: Name Add the user. The code will be executed in the confirmation page, and also while looking at the user information after searching the directory for the newly created user.
 
Adventia    2.0  Affected
 
Attack Type :  Input Manipulation
 XSS, SQL injection, file retrieval, directory traversal, overflows, URL encoding.
 Découvert le 2005-03-29 16:10:53
 
Disclosure :  OSVDB Verified
 Confirmé le 2005-03-29 16:10:53
 
Exploit :  Exploit Public
 Exploit découvert le 2005-03-29 08:00:00
 
Impact :  Loss of Confidentiality
 Assurance that data is protected and not disclosed to an unauthorized party. Examples: password disclosures, server information, environment variables, confirmation of file existence, path disclosure, file content access, some SQL injection.
 
Impact :  Loss of Integrity
 Assurance that data is unaltered by unauthorized persons. Examples: XSS, arbitrary command execution, most overflows, most format strings, SQL injection, unauthorized file modification/deletion/creation, remote file inclusion, etc.
 
Location :  Remote / Network Access
 If network access if required and exploit can be done remotely.
 
OSVDB :  Web Related
 The vulnerability is a web issue and will have an associated security check.
 
 
External refs :
OSVDB  15091
  
  
  
  
  
  
 
 
 
 

 
 


Free consultation (search)
 
  Fill one or some of the fields below :
   
Vendor
 
Title
 
Vulnerability ref.
 
 
   
 
   
Individual alerts
 
You determine with one profile dynamic and assisted, all your material and software equipment.
We shall inform you then automatically, as soon as a notification of security will concern one or several elements of it profile.
Every notification is definite, consists of numerous information to determine risk and to protect itself from it.
 
Login:
Pass:
 
Free online subscription
© Power4Security.com - BMS Ltd UK 2007-2008 - powered by Power4Website.com
Partenaires : Anti-spam - Hébergement France - MySQL Php Suisse - Hosting Canada - Web Php Maroc - WebmasterMalin
Guide de l'affiliation - Guide du paiement électronique et de l'e-currency - Annuaire du Web - Solution e-commerce - Externalisation et outsourcing
e-Marketing et e-Mailing - Comparaison de services - Comparateur Marchands - Bons plans par email - Tests de personnalité et de QI
SMS API - Forums et Petites Annonces Gratuites - Rencontres - Sonneries - Offres du Web - Arrêter de fumer - Guide des mobiles et PDA