Tikiwiki 1.9.7 HTML/embed object injection

2007-08-25T00:00:00
ID SECURITYVULNS:DOC:17884
Type securityvulns
Reporter Securityvulns
Modified 2007-08-25T00:00:00

Description

Tikiwiki Version: 1.9.7

Example Address http://example.com/tiki-remind_password.php

Overview: The following codes can be added to the HTML password page by placing the HTML codes in the user name input box and hitting the "send me my password" button.

Examples: 1.<br><br><b><u>XSS</u></b> 2.<EMBED SRC="http://site.com/xss.swf" 3.<html><fontcolor="Red"><b>Pwned</b></font></html>