PHP Live! Multiple Cross-Site Scripting Vulnerabilities
BID:21737
Info
PHP Live! Multiple Cross-Site Scripting Vulnerabilities
| Bugtraq ID: | 21737 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Dec 25 2006 12:00AM |
| Updated: | Jan 02 2007 06:36PM |
| Credit: | Doz of Hackers Center Security Group is credited with the discovery of these vulnerabilities. |
| Vulnerable: |
PHP Live! PHP Live! 3.2.2 |
| Not Vulnerable: | |
Discussion
PHP Live! Multiple Cross-Site Scripting Vulnerabilities
PHP Live! is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to have arbitrary script code execute in the browser of an unsuspecting user. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Version 3.2.2 was reported vulnerable; other versions may also be affected.
PHP Live! is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to have arbitrary script code execute in the browser of an unsuspecting user. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Version 3.2.2 was reported vulnerable; other versions may also be affected.
Exploit / POC
PHP Live! Multiple Cross-Site Scripting Vulnerabilities
An attacker can trigger these vulnerabilities by enticing a victim user to follow a malicious URI.
Example URIs have been provided:
/transcripts.php?action=view&deptid=1&userid=0&search_string=[XSS]
http://www.example.com/index.php?l=[XSS]
/phplive/message_box.php?theme=&l=ezpub&x=1&deptid=[XSS]
/phplive/message_box.php?theme=&l=admin&x=[XSS]
An attacker can trigger these vulnerabilities by enticing a victim user to follow a malicious URI.
Example URIs have been provided:
/transcripts.php?action=view&deptid=1&userid=0&search_string=[XSS]
http://www.example.com/index.php?l=[XSS]
/phplive/message_box.php?theme=&l=ezpub&x=1&deptid=[XSS]
/phplive/message_box.php?theme=&l=admin&x=[XSS]
Solution / Fix
PHP Live! Multiple Cross-Site Scripting Vulnerabilities
Solution:
Currently we are not aware of any solutions for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected]:[email protected].
Solution:
Currently we are not aware of any solutions for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected]:[email protected].
References
PHP Live! Multiple Cross-Site Scripting Vulnerabilities
References:
References: