EliteHackers
SALUT 2022!!
NE-AM MUTAT PE DISCORD !
Vrei să inviți un prieten?
[T]eoria [H]aosului [C]ontrolat - https://discord.com/invite/U4HBCHzm7r
Acesta aste link-ul oficial al acestui server.
|
Lista Forumurilor Pe Tematici
|
EliteHackers | Reguli | Inregistrare | Login
POZE ELITEHACKERS
Nu sunteti logat.
|
Nou pe simpatie:
Cenusareasa la Simpatie.ro
 | Femeie
24 ani
Bucuresti
cauta Barbat
28 - 61 ani |
|
r3v
Moderator
 Inregistrat: acum 16 ani
Postari: 1158
|
|
Code:
Xplico v0.5.7 (add.ctp) Remote XSS Vulnerability
Title: Xplico v0.5.7 (add.ctp) Remote XSS Vulnerability
Type: Remote
Impact: Cross-Site Scripting
Release Date: 02.07.2010
Release mode: Coordinated release
Summary
=======
The goal of Xplico is extract from an internet traffic capture the applications
data contained. For example, from a pcap file Xplico extracts each email (POP, IMAP,
and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on.
Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic
Analysis Tool (NFAT).
Description
===========
Xplico is vulnerable to Cross-Site Scripting vulnerability. An attacker can use the
\\\"POST\\\" to take advantage of this vulnerability, injecting code into the web pages
viewed by other users.
--------------------------------------------------------------------------------
Detecting vulnerabilities
- /opt/xplico/xi/app/views/pols/add.ctp:13
- /opt/xplico/xi/app/views/pols/add.ctp:14
- /opt/xplico/xi/app/views/sols/add.ctp:10
--------------------------------------------------------------------------------
Vendor
======
Xplico Team - http://www.xplico.org
Affected Version
================
0.5.7
PoC
===
- /opt/xplico/xi/app/views/pols/add.ctp:13
echo $form->input(\\\'Pol.name\\\', array(\\\'maxlength\\\'=> 50, \\\'size\\\' => \\\'50\\\',\\\'label\\\' => \\\'Case
name \\\'));
Attack: Case name=[XSS] (POST)
Credits
=======
Vulnerability discovered by Marcos Garcia (@artsweb) and Maximiliano Soler (@maxisoler).
Solution
========
Upgrade to Xplico v0.5.8 (http://sourceforge.net/projects/xplico/files/)
Vendor Status
=============
[22.06.2010] Vulnerability discovered.
[22.06.2010] Vendor informed.
[22.06.2010] Vendor replied.
[24.06.2010] Asked vendor for confirmation.
[24.06.2010] Vendor confirms vulnerability.
[24.06.2010] Asked vendor for status.
[24.06.2010] Vendor replied.
[29.06.2010] Vendor reveals patch release date.
[29.06.2010] Coordinated public advisory.
References
==========
[1] http://www.xplico.org/archives/710
Changelog
=========
[02.07.2010] - Initial release
Web: http://www.zeroscience.mk
e-mail: |
_______________________________________
http://thieves-team.com
r3vyk.info
mess id: doar prin PM datorita faptului ca mi-au dat add 10000 de retardati care joaca metin
|
|
| pus acum 15 ani |
|