Cross-Site Scripting vulnerability in eCaptcha

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello Bugtraq!
I want to warn you about Cross-Site Scripting vulnerability in eCaptcha (plugin for E107). I found this hole in July 2008 and disclosed it at 25.09.2008. 

XSS:
POST query at page http://site/path/ecaptcha/?key=b7c9bf99e763252105f047a5ca5681d0 

<script>alert(document.cookie)</script>
in field: Type Here.
Working key (ecaptcha_key) is required, which can be retrieved by script. Every key works only for one time. 

Exploit:

http://websecurity.com.ua/uploads/2008/eCaptcha%20XSS.html
I mentioned about this vulnerability at my site (http://websecurity.com.ua/2253/). 

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux