Re: [FD] weblogin software cross site request

2015-07-18 Thread jericho


: Dork: intitle:weblogin intext:This page will redirect you to:

A single site runs this 'WebLogin'.

: Product:WebLogin

What is the vendor URL? Or there is none, because this is a site-specific 
issue for lanl.gov. Worse, it has pretty aggressive filtering and will not 
render script tags, HTML tags, and requires the http:// element it seems.


So this is a site specific issue, with no real value or merit, and doesn't 
apply to anyone else in the world?


: Rootktit Pentester.

Really?

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] weblogin software cross site request

2015-07-17 Thread Juan Martinez
Hi, People i discover a cross site request in this
Dork: intitle:weblogin intext:This page will redirect you to:

This cross site request is exploit like this example:
http://target/Login:%20Weblogin%20%20This%20page%20will%20redirect%20you%20to%20
inject any word you want to screen in the webpage. Or another Poc is for
example:
http:target?referer=inject the word or number you want to like view in the
page.
I advice fix this bug because is very easy deface this webpages whith
Product:WebLogin
Best Regard.
Rootktit Pentester.

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/