#3902 XSS

open
nobody
None
5
2011-04-27
2011-04-27
No

As a result of xss bug in "https: / / zion: 10000/shell/index.cgi" I looked over and I found XSS on the following pages:
"https://nibelheim:10000/software/search.cgi?search=%22%3Cscript%3Ealert%281%29%3C%2Fscript%3E&goto=1"
"https://nibelheim:10000/proc/run.cgi"
After that I guess the decision will be the same in all places where you enter some text.

Discussion

  • Jamie Cameron

    Jamie Cameron - 2011-04-27

    Yes, but those can't be exploited by an attacker as Webmin detects links from un-trusted referrers.

     
  • Jose Eulogio Cribeiro Aneiros

    If you change the packet with a proxy or plugins like TamperData, and you add to packet "Referer" as "https://192.168.1.10:10000/software/" webmin not detects this attack

     
  • Jamie Cameron

    Jamie Cameron - 2011-04-28

    Right, but why would the victim intentionally change his own web requests to open himself up to a vulnerability?

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks