usd250 helpdesk XSS vulnerabily.

看板Bugtraq作者Joseph.時間18年前 (2007/10/26 02:18)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串1/1

http://www.oneorzero.com/ Within the helpdesk utility usd250, an XSS in the comments field is possible. The comments strip script tags and replace them with (not allowed), but script tags dont need to be in place for XSS. Something along the lines of... <b onmouseover="window.alert('omghax')">some text</b> Suffices. The fix is to use htmlentities() or htmlspecialchars() to filter ALL html from user input.

‣ 返回看板[ Bugtraq ] 臭蟲

‣ 更多 Joseph. 的文章

文章代碼(AID): #178Dtp00 (Bugtraq)