RE: PHP Addressbook v8.2.5 Group Name XSS
I can confirm that the below vulnerability also applies v8.2.5, the=0Alates=
t version.=0A=0APHP Addressbook software URL:=0Ahttp://sourceforge.net/proj=
ects/php-addressbook/?source=3Ddirectory=0A=0AI don't mean to clog the list=
but I was doing research on an earlier=0Aversion and didn't realize that a=
later version was also released.=0A=0AKen=0A=0A=0A=0A -------- Original Me=
ssage --------=0A Subject: Addressbook v8.1.24.1 Group Name XSS=0A From: "K=
enneth F. Belva" <research@silverbackventuresllc.com>=0A Date: Wed, Decembe=
r 12, 2012 8:15 am=0A To: bugtraq@securityfocus.com=0A =0A Instructions.=0A=
=0A After authentication, click on the Group tab at the top. Click on the=
=0A New Group Button on the group page.=0A =0A For the group name (the firs=
t field) enter the following XSS test=0A string:=0A =0A <SCRIPT>alert=
(String.fromCharCode(88,83,83))</SCRIPT>=0A =0A =0A Then call the XSS=
string from the URL -- technically one calls the=0Agroup=0A name -- throug=
h the group parameter as such:=0A =0A http://[server]/index.php?group=3D%3C=
SCRIPT%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2FSCRIPT%3E=0A=
=0A =0A I emailed the apparent author but did not receive a reply.=0A =0A =
=0A Ken=0A http://silverbackventuresllc.com