Hi,
I’ve recently used Detectify app on my website.
All was ok on my website but not on all my server. The only exploits found was… on Virtualmin
2x XSS
Can be used in order to grab cookies, cause run-by attacks, phishing, browser based exploitation or tabnabbing.
URL : https://domain.tld:20000/session_login.cgi
URL : https://domain.tld:10000/session_login.cgi
COOKIES: PHPSESSID=0ijbf57f8en02mn98euc580q16; testing=1
POST: page=%2F&user=%22%2F%3E%3Cdetectify%3EknVqAc1DF8&pass=&save=1
And 2x Input AutoComplete URL : https://domain.tld:20000/session_login.cgi COOKIES: PHPSESSID=0ijbf57f8en02mn98euc580q16; testing=1 You can test on detectify.com Thanks. Username
Password
The input appears to be used for confidential data, however autocomplete is still activated. In case of a Cross-Site Scriping (XSS) incident; such data may be siphoned by the attacker if you’ve previously entered it into the input.
URL : https://domain.tld:10000/session_login.cgi
POST: page=%252F&user=&pass=&save=1
You must enter a username and password to login to the Usermin server on monsterwin.fr.
<input class=‘ui_checkbox’ type=ch…