Re: Zend studio location Cross-Domain Scripting Vulnerability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 13 October 2010 05:25, Thijs Lensselink <dev@xxxxxxxx> wrote:
> ÂOn 10/13/2010 12:19 AM, Daevid Vincent wrote:
>>
>> http://80vul.com/Zend%20studio/Zend%20studio%20location%20Cross.htm
>>
>> Interesting. A co-worker and I were JUST noticing how our PHPDoc comments
>> were being parsed pretty much verbatim including<b> Âtags and links and
>> stuff and thought, "wow, that's stupid, that's just a XSS or injection
>> waiting to happen". LOL. Guess someone's ears were burning. ;-)
>>
>>
>
> Why didn't you inform Zend before you went full disclosure?
>
> It's a nasty bug though!!

Yesterday, I installed PDT for the first time.

Created the scenario for this vulnerability.

Get an exception. MS Visual Studio shows a HTML block with the
<script> tag in it and that is highlighted as the error. "Microsoft
JScript runtime error: Automation server can't create object".



-- 
Richard Quadling
Twitter : EE : Zend
@RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux