Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: va1412.htm

PHP Calendar Script Remote XSS (Permanent) Vulnerabilities



PHP Calendar Script Remote XSS (Permanent) Vulnerabilities
PHP Calendar Script Remote XSS (Permanent) Vulnerabilities



===============================================================0D
  PHP Calendar Script Remote XSS (Permanent) Vulnerabilities=0D
===============================================================0D
=0D
  ,--^----------,--------,-----,-------^--,=0D
  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..=0D
  `+---------------------------^----------|=0D
    `\_,-------, _________________________|=0D
      / XXXXXX /`|     /=0D
     / XXXXXX /  `\   /=0D
    / XXXXXX /\______(=0D
   / XXXXXX /           =0D
  / XXXXXX /=0D
 (________(             =0D
  `------'=0D
=0D
AUTHOR : CWH Underground=0D
DATE   : 28 September 2008=0D
SITE   : cwh.citec.us=0D
=0D
=0D
#####################################################=0D
APPLICATION : PHP Calendar Script=0D
VERSION     : 6.3.25=0D
VENDOR : www.easyphpcalendar.com=0D 
DOWNLOAD : http://www.easyphpcalendar.com/freeDownload.php=0D 
#####################################################=0D
=0D
=0D
=0D
--- Permanent Cross Site Scripting ---=0D
=0D
-----------------=0D
 Vulnerable Page =0D
-----------------=0D
=0D
[+]http://[Target]/[path]/events/index.php?PHPSESSID=[md5number]&add=1=0D 
=0D
Ex:=0D
=0D
[+]http://[Target]/[path]/events/index.php?PHPSESSID=e99299396b831fe9226b7d5de21edaff&add=1=0D 
=0D
This page is used to Add New Event and there is a feild "Details:" which is prepared for inserting detail of the event.=0D
We can inject javascript into this feild as result in "Stored XSS".=0D
=0D
-----------------=0D
 Example code =0D
-----------------=0D
=0D
Details:=0D
=0D