PWSPHP Multiple Cross-Site Scripting Vulnerabilities
BID:13561
Info
PWSPHP Multiple Cross-Site Scripting Vulnerabilities
| Bugtraq ID: | 13561 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | May 09 2005 12:00AM |
| Updated: | May 09 2005 12:00AM |
| Credit: | SecuBox fRoGGz <[email protected]> is credited with the discovery of these vulnerabilities. |
| Vulnerable: |
PwsPHP PwsPHP 1.2.2 Final PwsPHP PwsPHP 1.2.2 PwsPHP PwsPHP 1.2.1 |
| Not Vulnerable: |
PwsPHP PwsPHP 1.2.3 |
Discussion
PWSPHP Multiple Cross-Site Scripting Vulnerabilities
PwsPHP is prone to multiple cross-site scripting vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.
An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
The vendor has addressed these issues in PwsPHP version 1.2.3; earlier versions are reported vulnerable.
PwsPHP is prone to multiple cross-site scripting vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.
An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
The vendor has addressed these issues in PwsPHP version 1.2.3; earlier versions are reported vulnerable.
Exploit / POC
PWSPHP Multiple Cross-Site Scripting Vulnerabilities
No exploit is required.
The following proof of concept URI are available:
http://www.example.com/index.php?mod=news&ac=plus&month=[XSS INJECTION]&annee=[XSS INJECTION]
http://www.example.com/index.php?mod=stats&aff=forum&nbractif=[XSS INJECTION]
http://www.example.com/index.php?mod=stats&aff=pages&annee=[XSS INJECTION]
http://www.example.com/profil.php?id=1%20[XSS INJECTION]
http://www.example.com/memberlist.php?mb_lettre=%A4%20[XSS INJECTION]
http://www.example.com/memberlist.php?mb1_order=id&mb1_ord=DESC&lettre=[XSS INJECTION]
http://www.example.com/index.php?&mod=recherche&choix_recherche=2&chaine_search=[XSS INJECTION]&multi_mots=tous&choix_forum=1&auteur_search=[XSS INJECTION]
No exploit is required.
The following proof of concept URI are available:
http://www.example.com/index.php?mod=news&ac=plus&month=[XSS INJECTION]&annee=[XSS INJECTION]
http://www.example.com/index.php?mod=stats&aff=forum&nbractif=[XSS INJECTION]
http://www.example.com/index.php?mod=stats&aff=pages&annee=[XSS INJECTION]
http://www.example.com/profil.php?id=1%20[XSS INJECTION]
http://www.example.com/memberlist.php?mb_lettre=%A4%20[XSS INJECTION]
http://www.example.com/memberlist.php?mb1_order=id&mb1_ord=DESC&lettre=[XSS INJECTION]
http://www.example.com/index.php?&mod=recherche&choix_recherche=2&chaine_search=[XSS INJECTION]&multi_mots=tous&choix_forum=1&auteur_search=[XSS INJECTION]
Solution / Fix
PWSPHP Multiple Cross-Site Scripting Vulnerabilities
Solution:
The vendor has addressed this issue in PwsPHP version 1.2.3.
PwsPHP PwsPHP 1.2.1
PwsPHP PwsPHP 1.2.2 Final
PwsPHP PwsPHP 1.2.2
Solution:
The vendor has addressed this issue in PwsPHP version 1.2.3.
PwsPHP PwsPHP 1.2.1
-
PwsPHP PwsPHP 1.2.3
http://mods.pwsphp.com/index.php?mod=archives&ac=voir&id=219
PwsPHP PwsPHP 1.2.2 Final
-
PwsPHP PwsPHP 1.2.3
http://mods.pwsphp.com/index.php?mod=archives&ac=voir&id=219
PwsPHP PwsPHP 1.2.2
-
PwsPHP PwsPHP 1.2.3
http://mods.pwsphp.com/index.php?mod=archives&ac=voir&id=219
References
PWSPHP Multiple Cross-Site Scripting Vulnerabilities
References:
References:
- PwsPHP Homepage (PwsPHP)
- PwsPHP v1.2.2 Final - Multiples vulnerabilities (SecuBox fRoGGz
)