Thank you Donnie, This advisory was/is a perfect example of just how much of a true security professional you are.
You are an irreplaceable asset to this list and the security community as a whole. The world is a safer place with you in it. God bless you. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Morning Wood > Sent: Tuesday, March 29, 2005 1:03 PM > To: [email protected] > Subject: [Full-disclosure] E-Data > > ------------------------------------------------------------ > - EXPL-A-2005-003 exploitlabs.com Advisory 032 - > ------------------------------------------------------------ > - E-Data - > > OVERVIEW > ======== > E-Data 2.0 is a powerful e-mail directory and management application that > will enhance your web site by letting visitors add, change and delete their > personal information to a directory > > AFFECTED PRODUCTS > ================= > E-Data 2.0 > http://www.adventia.com/ > > DETAILS > ======= > E-Data has user supplied input fields in search and in the "add to database" > functions. By inputting a query keyword followed by XSS style script, future > users may search and find the keyword that contains the malicious xss. > The XSS is of a persistant nature as it is stored in the applications > database. > > SOLUTION > ======== > none > 1st contact: March 16, 2005 ( no reply ) > > PROOF OF CONCEPT > ================ > The vendor has a demo site, PoC is in the database, just goto the "demo url" > and enter "qwerty" in search box demo url: > http://www.adventia.com/cgi-bin/dir.pl > > CREDITS > ======= > This vulnerability was discovered and researched by Donnie Werner of > exploitlabs > > web: http://exploitlabs.com > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
