Addressbook 8.1.24.1 / 8.2.5 Cross Site Scripting

2012-12-13T00:00:00
ID PACKETSTORM:118826
Type packetstorm
Reporter Kenneth F. Belva
Modified 2012-12-13T00:00:00

Description

                                        
                                            `Instructions.  
  
After authentication, click on the Group tab at the top. Click on the  
New Group Button on the group page.  
  
For the group name (the first field) enter the following XSS test  
string:  
  
<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>  
  
  
Then call the XSS string from the URL -- technically one calls the group  
name -- through the group parameter as such:  
  
http://[server]/index.php?group=%3CSCRIPT%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2FSCRIPT%3E  
  
I emailed the apparent author but did not receive a reply.  
  
  
Ken  
http://silverbackventuresllc.com  
`