Title:Cross Site Scripting in WebzEdit Release Date: Feb 22,2004 Application: WebzEdit Version Affected: 1.9 or lower Platform: JSP Severity: Low Discover: Cheng Peng Su(apple_soup[at]msn.com) Vendor URL: hxxp://www.freewebs.com/ ################################################ Intro: WebzEdit is a tool to edit web page online.
Proof Of Concept: This page (hxxp://host/WebzEdit/done.jsp?message=index.htm%20has%20been%20saved.) will show you a Message box with "index.htm has been saved." , and the [done.jsp] doesn't filter out illegal characters. So here is a XSS vuln: URL:hxxp://host/WebzEdit/done.jsp?message=');[XSS code];a=escape('
