Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

spymacXSSflaws.txt

🗓️ 22 May 2006 00:00:00Reported by LostmonType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 30 Views

Spymac WOS multiple Cross site scripting fla

Code
`##########################################################  
Multiple Cross site scripting in Spymac WOS v  
Vendor url: http://www.spymac.com/network.php?p=wos  
Advisore:http://lostmon.blogspot.com/2006/05/  
multiple-cross-site-scripting-in.html  
Vendor notify: yes Exploit available: yes  
##########################################################  
  
  
Spymac WOS is powered by an integrated collection of Web  
and desktop applications that together form "Spymac WOS".  
Developed in-house, Spymac WOS is an intelligent environment  
featuring patent-pending technology that allows for the creation  
of an immersive and visually-stunning Web experience.  
  
Spymac have a flaw that allows a remote cross site scripting attack.  
This flaw exists because the application does not validate  
multiple variables upon submission to multiple scripts.  
This could allow a user to create a specially crafted URL  
that would execute arbitrary code in a user's browser within  
the trust relationship between the browser and the server,  
leading to a loss of integrity.  
  
  
#######################  
Versions  
#######################  
  
Spymac WOS V  
  
  
########################  
Solution:  
########################  
  
No solution was available at this time.  
  
  
########################  
Examples  
########################  
  
for view some examples... need a client login.  
http://[VICTIM]/notes/index.php?action=delete_folder&del_folder=[XSS-CODE]  
http://[VICTIM]/notes/index.php?action=empty_trash[XSS-CODE]  
http://[VICTIM]/ipod/get_ipod.php?curr=10[XSS-CODE]  
http://[VICTIM]/notes/index.php?action=noteform&nick=Lostmon[XSS-CODE]  
  
  
http://[VICTIM]/login.php?[XSS-CODE]  
  
  
some others variables are subsceptibles to the same flaw.  
  
  
  
########################  
TIMELINE  
########################  
  
Discovered:02-05-2006  
Vendor notify:14-05-2006  
Vendor response:-------------  
Disclosure:17-05-2006  
  
  
######################## €nd #####################  
  
Thnx to Estrella to be my ligth.  
  
--   
atentamente:  
Lostmon ([email protected])  
Web-Blog: http://lostmon.blogspot.com/  
--  
La curiosidad es lo que hace mover la mente....  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 May 2006 00:00Current
0.1Low risk
Vulners AI Score0.1
spymac woscross site scriptingexploit availableweb applicationsremote attacktrust relationshiploss of integrityvulnerable variablesdisclosure datevendor notification
30