BID:13089

ModernGigabyte ModernBill Aid Parameter Cross-Site Scripting Vulnerability

Info

ModernGigabyte ModernBill Aid Parameter Cross-Site Scripting Vulnerability

Bugtraq ID:	13089
Class:	Input Validation Error
CVE:	CVE-2005-1053
Remote:	Yes
Local:	No
Published:	Apr 11 2005 12:00AM
Updated:	Jul 12 2009 12:56PM
Credit:	Discovery is credited to James Bercegay of the GulfTech Security Research Team.
Vulnerable:	ModernGigabyte ModernBill 4.3

Not Vulnerable:	ModernGigabyte ModernBill 4.3.1

Discussion

ModernGigabyte ModernBill Aid Parameter Cross-Site Scripting Vulnerability

ModernBill is affected by a cross-site scripting vulnerability.

This issue is due to a failure in the application to properly sanitize user-supplied input to the 'aid' parameter. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.

ModernBill 4.3 and prior versions are vulnerable to this issue.

Exploit / POC

ModernGigabyte ModernBill Aid Parameter Cross-Site Scripting Vulnerability

No exploit is required.

The following proof of concept URI is available:
http://www.example.com/order/orderwiz.php?v=1&aid=[XSS]

Solution / Fix

ModernGigabyte ModernBill Aid Parameter Cross-Site Scripting Vulnerability

Solution:
The vendor has released ModernBill version 4.3.1 to address this issue. Please contact the vendor to obtain the fixed packages.

References

ModernGigabyte ModernBill Aid Parameter Cross-Site Scripting Vulnerability

References:

ModernBill (ModernGigabyte)
Multiple ModernBill 4.3.0 And Earlier Vulnerabilities (James Bercegay)
Multiple ModernBill 4.3.0 And Earlier Vulnerabilities (GulfTech Security Research )