Active XSS in Invision Power Board 2.1.4

Discussion in 'Уязвимости' started by k00p3r, 2 Mar 2006.

  1. k00p3r

    k00p3r Banned

    Joined:
    31 May 2005
    Messages:
    430
    Likes Received:
    8
    Reputations:
    2
    Команда Cyber Lords, нашла новую багу в IPB.
     
  2. Mobile

    Mobile Elder - Старейшина

    Joined:
    18 Feb 2006
    Messages:
    1,089
    Likes Received:
    822
    Reputations:
    324
    Сам нашёл уязвимость?...
     
  3. GreenBear

    GreenBear наркоман с медалью

    Joined:
    7 May 2005
    Messages:
    2,547
    Likes Received:
    1,398
    Reputations:
    612
    =))))
     
  4. PinkPanther

    PinkPanther [ розовый мафиозо ]

    Joined:
    16 Mar 2005
    Messages:
    280
    Likes Received:
    75
    Reputations:
    85
    1 person likes this.
  5. Mobile

    Mobile Elder - Старейшина

    Joined:
    18 Feb 2006
    Messages:
    1,089
    Likes Received:
    822
    Reputations:
    324
    Морф красавец!...
     
  6. Morph

    Morph Пирожок с Маком

    Joined:
    13 Aug 2004
    Messages:
    790
    Likes Received:
    113
    Reputations:
    169
    Гы воть так нех приватные баги распространять вот блин тоже...................
    Докатились............


    ХРАНИТЬ ТАКОЕ НАДо!

    :))
     
  7. D1mOn

    D1mOn Elder - Старейшина

    Joined:
    2 Oct 2005
    Messages:
    380
    Likes Received:
    144
    Reputations:
    29
    да зря выложили!
     
  8. Mobile

    Mobile Elder - Старейшина

    Joined:
    18 Feb 2006
    Messages:
    1,089
    Likes Received:
    822
    Reputations:
    324
    Тоесть можно код сниффера залить, и всё?
     
  9. GreenBear

    GreenBear наркоман с медалью

    Joined:
    7 May 2005
    Messages:
    2,547
    Likes Received:
    1,398
    Reputations:
    612
    Защита.
    Открыть sources/action_public/misc/contact_member.php
    Найти:
    PHP:
    $this->lib->msg_post    $this->email->message
    (431 строка по умолчанию)

    Заменить на:
    PHP:
    $this->lib->msg_post    htmlspecialchars($this->email->message);