sorry i dont understand the question... maybe I have badly explained....
I used this program to give me an idea, but these things I do not understand much.
a week ago my site (which uses a different script) was sent down
by a lamer.
so I decided to use your script (much better)
but I would not want it to happen again, so I tried to inform me and I found this program (Acunetix WVS 8)that seems very much appreciated.
who found an error (or possible error) in the request for security forgotten password ...
I just wanted to know if it's a false alarm? or whether, if the bug could be resolved?
I am a noob in these things
ps: I enclose the results of the scan:
- Code: Select all
POST /dfh/index.php?act=forgotpass&page=login HTTP/1.1
Content-Length: 88
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=403eajkni8ckc0rj84rg80hfu3
Host:
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - Free Edition)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm
Accept: */*
security_code=94102&submit=Invia&user=%22%20onmouseover%3dprompt%28989101%29%20bad%3d%22Response
HTTP/1.1 200 OK
Date: Mon, 02 Apr 2012 16:15:23 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 3994
This vulnerability affects /dfh/index.php.
Discovered by: Scripting (XSS.script).
Attack details
URL encoded POST input user was set to " onmouseover=prompt(989101) bad="
The input is reflected inside a tag parameter between double quotes.
Posted: Fri Mar 30, 2012 5:49 pm