Disclosure: @1 Event Publisher / @1 Table Publisher Multiple Vulnerabilities

[This was originally published on OSVDB, now gone. VulnDB 24235, 24236, 24237, 24238]

  • Ticket has been submitted. The ticket number is SCR00994.

While looking at some of your scripts, I noticed there are a few security issues:

UPOINT @1 Event Publisher
eventpublisher_admin.htm does not validate input to the Event, Description, Time, Website, and Public Remarks fields. This can be used for cross-site scripting (XSS) attacks.

eventpublisher_usersubmit.htm does not validate input to the Event, Description, Time, Website, and Public Remarks fields. This can be used for cross-site scripting (XSS) attacks.

A direct request to eventpublisher.txt will reveal the contents of private comments

UPOINT @1 Table Publisher
tablepublisher.cgi does not validate input to the Title of Table field, which can be used for XSS attacks.

Thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s