Hosting Provided By

Moodle XSS / Liesbeth base CMS sensitive information disclosure

From: 3APA3A <3APA3A(at)SECURITY.NNOV.RU>
Date: Tue Jul 03 2007 - 05:10:27 EDT

Dear bugtraq@securityfocus.com,

1.
MustLive (mustlive at websecurity.com dot ua) reported crossite scripting vulnerability in Moodle 1.7.1 via search parameter of index.php, example:

http://host/user/index.php?contextid=4&roleid=0&id=2&group=&perpage=20&search=%22style=xss:expression(alert(document.cookie))%20

Detailed information (in Ukranian) http://websecurity.com.ua/1045/ Original message (in Russian) http://securityvulns.ru/Rdocument391.html

2.
Durito [damagelab] (durito at mail dot ru) reported information leak in Liesbeth base CMS (Vendor: www.doubleflex.com), example:

http://host/config.inc

file accessible through Web contains sensitive information, including database account.

Original message (in Russian) http://securityvulns.ru/Rdocument392.html

-- 
http://securityvulns.com/
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
                    |/

Received on Tue Jul 3 12:04:51 2007

Do you need help?

This message: [ Message body ]
Next message: NGSSoftware Insight Security Research: "Buffer overflow in HP Instant Support Driver Check (SDD) ActiveX control"
Previous message: LIUDIEYU dot COM: "Two Unpublished IE Cases"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Tue Jul 03 2007 - 12:10:05 EDT