XSS vulnerability found via injection in the parameter address

Tags

shell scripts

Top Forums Shell Programming and Scripting XSS vulnerability found via injection in the parameter address

09-09-2017

Registered User

5, 0

Join Date: Sep 2017

Last Activity: 3 October 2017, 9:32 AM EDT

Posts: 5

Thanks Given: 0

Thanked 0 Times in 0 Posts

XSS vulnerability found via injection in the parameter address

Mods please move if posted in wrong section, I wasnt sure where to ask this one.

There are several of us that use an open source program called yiimp,

Code:

https://github.com/tpruvot/yiimp

several of our sites were attacked last night and I am reaching out to you guys to see if then vulnerability can be fixed quickly.

I believe the offending file is

Code:

/modules/site/wallet.php

my security scan shows

Code:

GET /?address=String.fromCharCode%280%2Cw6w7atn4rh%2C1%29 HTTP/1.1

for the vulnerability

crombiecrunch

View Public Profile for crombiecrunch

Find all posts by crombiecrunch

Previous Thread | Next Thread

3 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Parameter not found.. pass in a uppercase

hi guys i am trying to convert a uppercase var to a lowercase var and the result is pass in to another var. But i kept getting error from the variable that will be containing the result of the conversion of uppercase to the lowercase. DB_SID=TEST DB_SID_SM=/opt/$DB_SID | tr ''...

2. IP Networking

IP Address not found in ifconfig/netstat

I'm working on an AIX Unix LPAR (AIX 3.5 00C3C9904C00 as returned by uname -a) I can access this box using telnet, port 22 using adress IP A and B A=AA.AA.XX.XX and B=AA.AA.YYY.YYY I can confirm these 2 are the same space, I can see I can't find address B listed anywhere... so I wonder what...

3. News, Links, Events and Announcements

UUCP Vulnerability found in Linux

NEWS: UUCP vulnerability found in the command line argument handling of uucp which could be exploited by a local user to obtain uucp uid/gid. http://www.linuxhelp.net/article.pl?sid=02/02/20/0335219&mode=&threshold=

LEARN ABOUT DEBIAN

dink

FREEDINK(6)							       Games							       FREEDINK(6)

NAME

       FreeDink - adventure and role-playing game (engine)

SYNOPSIS

       freedink [OPTIONS]...

DESCRIPTION

       Starts the Dink Smallwood game or one of its D-Mods.

       -h, --help
	      Display this help screen

       -v, --version
	      Display the version

       -g, --game <dir>
	      Specify a DMod directory

       -r, --refdir <dir>
	      Specify base directory for dink/graphics, D-Mods, etc.

       -d, --debug
	      Explain what is being done

       -i, --noini
	      Do not attempt to write dinksmallwood.ini

       -j, --nojoy
	      Do not attempt to use joystick

       -s, --nosound
	      Do not play sound

       -t, --truecolor
	      Allow more colours (for recent D-Mod graphics)

       -w, --window
	      Use windowed mode instead of screen mode

       -7, --v1.07
	      Enable v1.07 compatibility mode

REPORTING BUGS

       Report bugs to bug-freedink@gnu.org.

       FreeDink  is  free  software,  and  you	are  welcome  to  redistribute	it  under  certain  conditions;  see  the  GNU	GPL  for  details.
       http://gnu.org/licenses/gpl.html
       There is NO WARRANTY, to the extent permitted by law.

FreeDink 1.08.20120427						    April 2012							       FREEDINK(6)

Shell Programming and Scripting