AOH :: HP Unsorted U :: TB13144.HTM

usd250 helpdesk XSS vulnerabily.



usd250 helpdesk XSS vulnerabily.
usd250 helpdesk XSS vulnerabily.




http://www.oneorzero.com/

Within the helpdesk utility usd250, an XSS in the comments field is possible.
The comments strip script tags and replace them with (not allowed), but
script tags dont need to be in place for XSS. Something along the lines of...
some text Suffices.

The fix is to use htmlentities() or htmlspecialchars() to filter ALL html
from user input.

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.