| asterisk2billing.org http://forum.asterisk2billing.org/ |
|
| A2Billing SECURITY ISSUE http://forum.asterisk2billing.org/viewtopic.php?f=16&t=6016 |
Page 1 of 1 |
| Author: | gregor1410 [ Mon Aug 10, 2009 11:26 pm ] |
| Post subject: | A2Billing SECURITY ISSUE |
Hello. Somebody tell me that A2billing is not secured for XSS attack. For example please log into your account and click VOUCHER menu. You see address: http://localhost/A2B_entity_voucher.php ... §ion=3 . Now simply remove all data after = sign to look like that: http://localhost/A2B_entity_voucher.php?form_action= and put the code example http://localhost/A2B_entity_voucher.php ... %22test%22);%3C/script%3E . You will see ALERT. the same is in call history file. that guy who find that tell me also there's also something wrong in SQL but he dont tell me where. But he tell me that is possible to make SQL query usign XSS attack on that 2 links what I show at up. Please for help. Bye |
|
| Author: | areski [ Tue Aug 11, 2009 10:44 am ] |
| Post subject: | Re: A2Billing SECURITY ISSUE |
We tried to improve this on 1.4 and as far as I could try this seems fixed on 1.4.x Nevertheless I cant find out how he will apply an SQL that way, I would be interested to find out. Cheers, /Areski |
|
| Page 1 of 1 | All times are UTC |
| Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/ |
|