ApPHP Calendar XSS - CSRF

Subject: ApPHP Calendar XSS - CSRF
From: edgard.chammas@balamand.edu.lb
Date: Tue Aug 31 2010 - 23:13:32 EEST

Previous message: ZDI Disclosures: "ZDI-10-168: Apple QuickTime ActiveX _Marshaled_pUnk Remote Code Execution Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) ##############################################################
# Vendor: ApPHP
# Affected versions: All
# Script: ApPHP Calendar
# URL: http://www.apphp.com/php-calendar/index.php
# Vulnerability type: XSS - CSRF
# Risk rating: Medium
##############################################################
# [Exploit]
# Attack: XSS - CSRF in calendar.php via POST
# Vulnerable file: calendar.class.php
# Vulnerable parameters:
# - category_name
# - category_description
# - event_name
# - event_description
###############################################################
# [Solution]
# Need to sanitize the vulnerable parameters
###############################################################
# [Credits]
# Edgard Chammas [454447415244]
# edgard.chammas@balamand.edu.lb
###############################################################

Previous message: ZDI Disclosures: "ZDI-10-168: Apple QuickTime ActiveX _Marshaled_pUnk Remote Code Execution Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b28 : Tue Aug 31 2010 - 23:56:09 EEST