Vendor : SCT URL : http://www.SCT.com/ Version: Campus Pipeline Risk : Cross site scripting
Description: Fusetalk SCT Campus Pipeline is the Web platform of choice at over 175 institutions. It improves efficiency, builds community, and provides freedom of choice by integrating disparate systems and applications into a unified whole. SCT Campus Pipeline provides an institution's constituents - students, faculty, administration, and alumni - with centralized Web access to information, services, and communities.
Cross site scripting: when passing a url to the script /cp/render.UserLayoutRootNode.uP?uP_tparam=utf&utf=????? You can easily highjack a users session
Solution: only allow onsite urls. or make specific exceptions for those that arnt
Credits: Credits goto my loving fiance, you push me todo things i never thought possible.
Exploit: This is exploited by passing a foreign url to the utf variable in the http://one.drexel.edu/cp/render.UserLayoutRootNode.uP?uP_tparam=utf <http://one.drexel.edu/cp/render.UserLayoutRootNode.uP?uP_tparam=utf&utf > &utf= script.
Spiffomatic64 Hacking is an art-form