Thyme 1.3 Cross Site Scripting

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Thyme 1.3 Cross Site Scripting
From: outlaw@xxxxxxxxxxxxxxxxx
Date: 29 Apr 2006 07:29:05 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

#----------------------------------------------------------
#Aria-Security.net Advisory
#Discovered  by: O.U.T.L.A.W
#< www.Aria-security.net>
#Gr33t to: A.u.r.a  & R@1D3N & Smok3r
#-----------------------------------------------------------
» Software: Thyme 1.3 
» Link: http://www.extrosoft.com/products/thyme/demo/index.php
» Attack method: Cross Site Scripting
» advisory:http://www.aria-security.net/portals/thyme

» Summary:
Thyme is a calendar system

»Description
A Remote User Can Steal the sessioncookie by searing 
<script>alert(document.cookie)</script><!-- in search page 




» Solution
contact me: Advisory@xxxxxxxxxxxxxxxxx

Prev by Date: Image file crashes Finder, Safari and other apps
Next by Date: 4images<-- 1.7.1 SQL Injection
Previous by thread: Image file crashes Finder, Safari and other apps
Next by thread: 4images<-- 1.7.1 SQL Injection
Index(es):
- Date
- Thread