-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Title: ====== Cross-site scripting vulnerability (XSS) in Authoria HR suite Vulnerable Application: ======================= Authoria HR Suite (http://www.authoria.com) is HR information management application used by many large enterprises. Details: ======== Due to the unefficient URL filtering, which assumes that if you enclose something in quites, it will be a string value, it is possible to inject a javascript in the URL. The fact that all unknown parameters are passed to string variables inside <script> tag makes it even easier to exploit. Demonstration: ============== https://your.site.com/path.to/cgi-bin/athcgi.exe?command=showpage&script='],[0,0]];alert('Hello%20there!');a=[[' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE9pKAg8mCpXsrcXpwRAn09AJ98PCYsK+XkzdZG/BmYz6dK26QhrgCdGg5B GkqaU/8qIj8/unR8YxEI8Ns= =TNOO -----END PGP SIGNATURE-----
