Knusperleicht Shoutbox Shout.php HTML Injection Vulnerability

Bugtraq ID:	21637
Class:	Input Validation Error
CVE:	CVE-2006-6721
Remote:	Yes
Local:	No
Published:	Dec 18 2006 12:00AM
Updated:	Jan 02 2007 07:26PM
Credit:	IMHOT3B <[email protected]> is credited with the discovery of this vulnerability.
Vulnerable:	Knusperleicht ShoutBox 2.6
Not Vulnerable:	Knusperleicht ShoutBox 4.4

Knusperleicht Shoutbox Shout.php HTML Injection Vulnerability

Knusperleicht Shoutbox is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input data.

Exploiting this issue may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.

Version 2.6 is vulnerable; other versions may also be affected.

Knusperleicht Shoutbox Shout.php HTML Injection Vulnerability

Attackers can exploit this issue via a web client.

The following exploit code is available:

• /data/vulnerabilities/exploits/21637.html

Knusperleicht Shoutbox Shout.php HTML Injection Vulnerability

Solution:
The vendor has released version 4.4 to address this issue. Please see the references for more information.


Knusperleicht ShoutBox 2.6

• Knusperleicht k_shoutBox_v4.4.zip
  http://www.knusperleicht.at/phpecke/dwl/klick.php?url=Script%20-%20sho utBox/&file=k_shoutBox_v4.4.zip&size=103568

Knusperleicht Shoutbox Shout.php HTML Injection Vulnerability

References:

• Vendor Homepage (Knusperleicht)