The Mambo jambook component suffers from a HTML injection vulnerability via the Entry field.
d1c34827d58039dab0fbc025ba86035b------=_Part_126104_29492606.1164565546478
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
###########################################################################
# Advisory #14 Title: Mambo component "jambook" Html injection Vulnerability
#
#
# Author: 0o_zeus_o0 ( Arturo Z. )
# Contact: zeus at diosdelared.com
# Website: www.diosdelared.com
# Date: 26/11/06
# Risk: medium
# Vendor Url: http://www.jxdevelopment.com/jambook
# Affected Software: jambook
# search: allinurl: com_jambook
#
#Info:
##################################################################
#can be exploited by malicious people to conduct script insertion attacks.
#
#Input passed to the "Entry" field isn't sanitised before being stored in
the guestbook.
#
#This can be exploited to execute arbitrary script code in a user's browser
session
#
#in context of an affected website when a malicious guestbook entry is
viewed.
#
#
#example
##################################################################
#
#<iframe src=www.webos.com >
#
#
##################################################################
#
#
#
#VULNERABLE VERSIONS
##################################################################
# 1.0
#
##################################################################
#Contact information
#0o_zeus_o0
#zeus at diosdelared.com
#www.diosdelared.com
##################################################################
#greetz: S.S.M, sams, a mi beba
#Original Advisory: http://diosdelared.com/14.txt
##################################################################
------=_Part_126104_29492606.1164565546478
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
###########################################################################<br># Advisory #14 Title: Mambo component "jambook" Html injection Vulnerability <br>#<br>#<br># Author: 0o_zeus_o0 ( Arturo Z. )<br># Contact: zeus at
<a href="http://diosdelared.com">diosdelared.com</a><br># Website: <a href="http://www.diosdelared.com">www.diosdelared.com</a><br># Date: 26/11/06<br># Risk: medium<br># Vendor Url: <a href="http://www.jxdevelopment.com/jambook">
http://www.jxdevelopment.com/jambook</a><br># Affected Software: jambook<br># search: allinurl: com_jambook<br>#<br>#Info:<br>##################################################################<br>#can be exploited by malicious people to conduct script insertion attacks.
<br>#<br>#Input passed to the "Entry" field isn't sanitised before being stored in the guestbook.<br>#<br>#This can be exploited to execute arbitrary script code in a user's browser session<br>#<br>#in context of an affected website when a malicious guestbook entry is viewed.
<br>#<br>#<br>#example<br>##################################################################<br>#<br>#<iframe src=<a href="http://www.webos.com">www.webos.com</a> ><br>#<br>#<br>##################################################################
<br>#<br>#<br>#<br>#VULNERABLE VERSIONS<br>##################################################################<br># 1.0<br>#<br>##################################################################<br>#Contact information<br>
#0o_zeus_o0<br>#zeus at <a href="http://diosdelared.com">diosdelared.com</a><br>#www.diosdelared.com<br>##################################################################<br>#greetz: S.S.M, sams, a mi beba<br>#Original Advisory:
<a href="http://diosdelared.com/14.txt">http://diosdelared.com/14.txt</a><br>##################################################################
------=_Part_126104_29492606.1164565546478--
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!