next »

[truthonlytruth]

I got a message from a hacker today that he found xss scripting problem....

http://www.mysite.com/cgi-bin/calendar/calendar_admin.pl?calendar=default&username=%22%3E%3Cscript%3Ealert('Uyari%20:%20Turksad%20and%2019%B2%B3Turk%20Grup')%3C/script%3E


URGENT ACTION NEEDED....

Thanks

[musicvid]

I got a message from a hacker today that he found xss scripting problem...

You got a message from a hacker? That is indeed remarkable. Were you sent an email, or did the hacker appear at your doorstep?
What version of Calendarscript are you using?
I can't find your page at mysite.com
But I must assume you are telling the truth from your login.
Please enlighten.

[DanO]

What version of Calendarscript are you using?

Dan O.

[truthonlytruth]

I am not that amatuer to give you my site address in this case to publicly target the site... Just replace the domain with your address and you will see the action...

Latest version....

From no where i got that message in an email and telling me exactly what i told you...

Thanks

[truthonlytruth]

What is going on with this script...

New changes: I thought you guys are going to make somthing out of it...
But your demo is not working and so on...

no answer a simple question...

[DanO]

What version of Calendarscript are you using?

Dan O.

[truthonlytruth]

My previous post i said the latest version...

which is 321

Thanks

[DanO]

Sorry I missed that statement (possibly since it didn't actually state the version number).

Anyway, I tried the code you supplied with my own calendar and all it does is pop up a JavaScript alter box with the hacker's name in it. That is not quite a critical situation.

I believe (although I could be wrong) that one of the previous bug fixes was to remove any HTML tags from being passed to the script via the command line. Maybe the fix was only made for the calendar.pl file? In any case, running JavaScript code only affects the user's browser, not the script installation itself AFAIK. The same could be done on any web page.

If you have more concerns you should probably bring them to Scott's attention via email.

JMO

Dan O.

[truthonlytruth]

I have no idea about Perl scripts that's why i brought here...

What do you mean by Scot's attension???

[DanO]

What do you mean by Scot's attention?

He owns CalendarScript and is solely responsible for its code. If you have security concerns you should talk to him directly about it via email.

I only help out here in the forums.

Dan O.

[truthonlytruth]

I thought that you guys took over the script...

Oh well,
I will do that...
Thanks

[scott]

What did this hacker tell you? Specifics would be helpful...

[DanO]

I thought that you guys took over the script...

"You guys" IS Scott which is why I suggested you contact him.

JFYI

Dan O.

[truthonlytruth]

I have received this hotmail email in my mailbox and exactly saying that My script is hacked...
He was telling me that xss scripting used by him... and the link that's all...

I have no idea about Perl scripting and I went thru my admin area and disable admin section of the script until you guys figure that out what this email all about...

http://www.mysite.com/cgi-bin/calendar/calendar_admin.pl?calendar=default&username=%22%3E%3Cscript%3Ealert('Uyari%20:%20Turksad%20and%2019%B2%B3Turk%20Grup')%3C/script%3E


That's it... I was afraid of he is going to do something...

Let me know please...

Thanks