Sunday 7 October 2007

dbList XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 7 October 2007
Vendor:http://www.livio.net/main/scripts.asp?file_id=24
affected versions:dbList v8.1
other versions also can be affected.
###############################################

dbList contains a flaw that allows a remote Cross-Site Scripting attacks.Input passed to the "table","db","strKeyWords","pagesize","sort" parameter isn't properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################

No comments: