LOADING
Fix XSS vulnerability
Product Details
Posted by:
Version:
1.0.0000
Tags:
dolphin fix site XSS cross scripting vulnerability
Compatible for:
Dolphin v.6.0
Dolphin v.6.x
Dolphin v.6.x
License:
GNU General Public License (GPL)
Price:
$5
Created:
April 22, 2008 at 07:58
Avg. vote:
10.00
Product Description
Hello and welcome!
I have found a XSS (cross site scripting) vulnerability in Dolphin (all versions 6.000X and 6.1X) that allows a registered user to execute a script on anyone who views his/her profile. The malicious user could use it to:
1. Steal the "cookie" of the person viewing his profile, including other users AND the admin!
2. Automatically redirect anyone viewing his profile to another website.
3. Popup a fake login box and record the information entered.
The posibilities are endless because he would actually be running the script from ANOTHER server!
I notified "VictorT" and "Unoboonex" as soon as I found the flaw.. but most of us have sites that are so heavily moded that we will be unable to upgrade to the next version after this vulnerability is fixed so I put this out.
This was JUST discovered and has not hit any of the hacker forums yet.. patch NOW!
*** If you are using the FINAL version of 6.1 you DON'T need this.. if you are using the beta versions or ANY 6.000X versions you are vulnerable! ***
thanks
M.scott
http://www.makeasocialnetwork.com (Patched :-)
I have found a XSS (cross site scripting) vulnerability in Dolphin (all versions 6.000X and 6.1X) that allows a registered user to execute a script on anyone who views his/her profile. The malicious user could use it to:
1. Steal the "cookie" of the person viewing his profile, including other users AND the admin!
2. Automatically redirect anyone viewing his profile to another website.
3. Popup a fake login box and record the information entered.
The posibilities are endless because he would actually be running the script from ANOTHER server!
I notified "VictorT" and "Unoboonex" as soon as I found the flaw.. but most of us have sites that are so heavily moded that we will be unable to upgrade to the next version after this vulnerability is fixed so I put this out.
This was JUST discovered and has not hit any of the hacker forums yet.. patch NOW!
*** If you are using the FINAL version of 6.1 you DON'T need this.. if you are using the beta versions or ANY 6.000X versions you are vulnerable! ***
thanks
M.scott
http://www.makeasocialnetwork.com (Patched :-)
Product Images
Comments
Customer
Comment
Vote
Posted
i've recently had people trying to sign up using code in their description, but because profiles dont go active until the email has been confirmed i've been blocking the ip address and deleting the profiles, this patch just plays safe for myself and my genuine members.
10
April 22, 2008
Ohhh your my new sweet tart for today! keep this stuff coming !!
10
April 22, 2008
Security is a big concern of mine..I am glad this is available..Thanks!!
10
April 22, 2008
I know I liked you for a REASON!!!
Keep it up
ExpertzzzPro
Keep it up
ExpertzzzPro
10
April 23, 2008
Well spotted, and good fix, thanks
10
April 24, 2008
As ALWAYS, mscott comes through! I SWEAR by this man for MY site.
10
April 25, 2008
Contribute
Support Expertzzz.com and use a range of Contributor Benefits.
Support Expertzzz.com and use a range of Contributor Benefits.
Site-wide ad for $10/day. Order Now. 10 Spots Max, Random Positioning.
