SecWorm.net - Advisory http://SecWorm.net/ XSS vulnerability on easyAdmin2Pro ---------------------------------------------------------------------------------- 1. Advisory Information: ---------------------------------------------------------------------------------- Title:- XSS vulnerability on easyAdmin2Pro Advisory ID:- SecWorm_Network_2010-1 Advisory URL:- http://secworm.net/showthread.php?thread-119.html ---------------------------------------------------------------------------------- 2. Vulnerability Information: ---------------------------------------------------------------------------------- Class:- Cross Site Scripting Injection Remotely Exploitable:- yes Locally Exploitable:- yes ---------------------------------------------------------------------------------- 3. Vulnerability Description: ---------------------------------------------------------------------------------- The login form on easyAdmin2Pro is vulnerable to XSS injections. Login page: http://www.site.com/easyadmin/index.php . The email field on this page is not sanitized, so a user can put any script in here that they want. ---------------------------------------------------------------------------------- 4. POC [Proof of Concept]: ---------------------------------------------------------------------------------- http://img69.imageshack.us/img69/9964/easyadminpoc.jpg ---------------------------------------------------------------------------------- 5. Credits: ---------------------------------------------------------------------------------- Discovered by lossless from SecWorm Network ---------------------------------------------------------------------------------- 6. Report Timeline: ---------------------------------------------------------------------------------- 1/09/10 - lossless discovers vulnerability and notifies authors. Further contact pending. ---------------------------------------------------------------------------------- 7. About SecWorm Network: ---------------------------------------------------------------------------------- SecWorm Network is a group of Security Researchers & Ethical hackers with the motto of security awareness and helping others to secure themselves. Everyone can reach to us at http://www.SecWorm.net/ ---------------------------------------------------------------------------------- 8. Disclaimer & Copyright: ---------------------------------------------------------------------------------- The contents of this advisory are copyright © 2009 SecWorm Network, and may be distributed freely provided that and proper credit is given.