[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Cross-Site Scripting vulnerability in eCaptcha
From: "MustLive" <mustlive () websecurity ! com ! ua>
Date: 2009-09-28 20:46:47
Message-ID: 003301ca407c$e9c080b0$010000c0 () ml
[Download RAW message or body]
Hello Full-Disclosure!
I want to warn you about Cross-Site Scripting vulnerability in eCaptcha
(plugin for E107). I found this hole in July 2008 and disclosed it at
25.09.2008.
XSS:
POST query at page
http://site/path/ecaptcha/?key=b7c9bf99e763252105f047a5ca5681d0
<script>alert(document.cookie)</script>
in field: Type Here.
Working key (ecaptcha_key) is required, which can be retrieved by script.
Every key works only for one time.
Exploit:
http://websecurity.com.ua/uploads/2008/eCaptcha%20XSS.html
I mentioned about this vulnerability at my site
(http://websecurity.com.ua/2253/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic