They never learn: Symantec support page search form XSS bug

Vulnerable page:

PoC"><img src=>

You can either include any XSS code in search input box, or request any XSS code directly using GET method and keyword parameter.

Note: This is a proof of concept and it doesn't reflect the views or interests of above websites.
Написано RoLex в 2017-05-22 01:160 comments8 likes


Changes in
- when a client uses an unrecognized Socks5 login, the request will be allowed; however, a warning will be shown that contains the username and the password to allow users to find bad configuration settings (this solves the problem with replacing Tor with AdvOR in the Tor Browser Bundle)
- the files Help\Firefox\readme.txt and Help\Firefox\AdvOR.ini were updated to work with the 6.5.2 version of Tor Browser
- updated language strings: 3262, 3263

File information: AdvOR
Написано advor в 2017-05-14 20:420 comments2 likes

Arcabit (Subscription renewal service) vulnerable to XSS

Arcabit (Subscription renewal service) - XSS

Vulnerable page:

"><img src=>

It is enough to insert any XSS code directly into serial field and your code will be executed and displayed immediately.

Note: This is a proof of concept and it doesn't reflect the views or interests of above website.
Написано Neo в 2017-05-07 20:220 comments3 likes


Changes in
- corrected some plugin calls that were using different calling conventions than expected when compiled with newest versions of gcc (thanks to RoLex and Ruza for reporting this problem)
- added a splitter between the main tree and the configuration page that can be used to resize the configuration page
- if both WindowPos and GuiPlacement3 are found, GuiPlacement3 is used because it stores splitter's position (WindowPos will still be saved to AdvOR.ini)
- messages that are logged before the GUI is created are cached and shown later in the Debug window
- geoip_c.h was updated with GeoIPCountryWhois.csv released on May 2nd; there are 153441 IP ranges having 32 ranges in the fake "A1" country; 31 ranges were approximated to real countries

File information: AdvOR
Написано advor в 2017-05-05 20:200 comments2 likes


Changes in
- added support for Unicode command line arguments; main() will use argv[] arguments converted from Unicode to UTF-8
- corrected some memory allocation problems that could had caused deallocation of invalid memory regions
- the procedure that searches the memory allocated for xul.dll for a function that can be called to delete cookies from Firefox when changing the identity was removed
- starting with this version, configuration options used by both 0.3x and 0.4x versions of AdvOR will be saved to AdvOR.ini

File information: AdvOR
Написано advor в 2017-04-27 20:080 comments2 likes
« Назад • 2 • Вперед »