|
HSC Research Group -
Advisories
|
|
Written by Hackers Center
|
|
Saturday, 30 December 2006 00:37 |
 *** THIS CODE HAS BEEN FIXED ***
This is a user management program where the users can register themselves by providing their username and passwords for protecting their webcontents. This program provide features like remembering login with cookies, automatic login, extended user info, expire user by date, admin can activate manually, registration page, tracks user logins, user can upload file, user can alter and add fields for user registration, users can login after expiry and more. An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Description: Multiple HTML Injection Vulnerability
Hackers Center Security Group (http://www.hackerscenter.com)
Doz"s Advisory
Risk: Medium to High
Vendor: www.spookylogin.com
Class: Input Validation Error
Vulnerable: 2.7
Exploit: Attackers can exploit these issues via a web client.
Remote: Yes
Local: Yes
XSS Hole:
/spooky/login/login.asp
/spooky/login/register.asp
Default login:
Username : Spooky
Password : Admin
*** THIS CODE HAS BEEN FIXED ***
|
