[VIM] EV0014 question (fwd)

security curmudgeon jericho at attrition.org
Fri Jan 6 07:42:43 EST 2006



---------- Forwarded message ----------
From: Support - eVuln.com
Date: Fri, 06 Jan 2006 17:17:15 +0300
Subject: Re: EV0014 question


> 1. Arbitrary script execution. Example:
> [a]javascript:alert("hello")[/a]
>
>
> What script, fields or variables are affected by this?
>
>
Arbitrary script execution is possible when posting a link in the
messages like this: [a]http://host.com/[/a]
Script: action.php
Variable: $txt
Script dont check $url for valid url. javascript code insertion is
possible: [a]javascript:alert("hello")[/a]

if somebody will click this link javascript will be executed.




> 3. Directory Traversal Example:
> Registering new user.
> username: http://host/tpf/profile.php? action=view&uname=../../username
>
>
> So during registration, you can traverse to a different username.. but
> what does this do exactly? Overwrite an existing username with new data?
>

Sorry. There is a small mistake.
http://host/tpf/profile.php?action=view&uname=../../username
this link show users profile. so this vulnerability allays to view files
with some extentions.
Directory traversal is possible registration form too. It allows to
create files(with some extentions) on server (write access is needed)

>
> Brian
> OSVDB.org
>
>
>


More information about the VIM mailing list