SASHA v0.2.0 Mutiple XSS

2011-12-26T00:00:00
ID SECURITYVULNS:DOC:27494
Type securityvulns
Reporter Securityvulns
Modified 2011-12-26T00:00:00

Description

Exploit Title: SASHA v0.2.0 Mutiple XSS

Date: 12/16/11

Author: G13

Software Link: http://sourceforge.net/projects/sasha/files/

Version: 0.2.0

Category: webapps (php)

Vulnerability

When adding a new course to the schedule, the application relies on Client Side controls for input. This can easily be bypassed by using an intercepting proxy or CSRF attack.

Affected Variables

section_title=[XSS] instructors=[XSS]

POST Data

institution=uvm&semester%5Bseason%5D=09&semester%5Byear%5D=2011&schedule_type=0& subject=math&course=0028&section=test&start_time%5Bhour%5D=8& start_time%5Bminute%5D=0&start_time%5Bmeridiem%5D=AM&end_time%5Bhour%5D=9& end_time%5Bminute%5D=0&end_time%5Bmeridiem%5D=AM&parent_schedule_id=& instructors%5B0%5D=&instructors%5B1%5D=&instructors%5B2%5D=&instructors%5B3%5D=& instructors%5B4%5D=&instructors%5B5%5D=&section_title=&step=1&next=Next