aflog-xss.txt

2008-07-25T00:00:00
ID PACKETSTORM:68496
Type packetstorm
Reporter Dentrasi
Modified 2008-07-25T00:00:00

Description

                                        
                                            `//Author  
Dentrasi  
  
//Application  
Aflog  
  
//Version  
1.01  
  
//Site  
http://www.aflog.org  
  
//Bug  
Users' display names are not sanitized, allowing XSS attacks to be performed.  
  
//PoC  
When signing up, use the display name:  
<script>alert('xss')</script>  
This affects your name when viewing any page that you have posted a comment on.  
It also affects anyone viewing any page while you are online, as aflog prints a list of online users in the page footer.`