BID:22957

PHProjekt Multiple Cross Site Scripting Vulnerabilities

Info

PHProjekt Multiple Cross Site Scripting Vulnerabilities

Bugtraq ID:	22957
Class:	Input Validation Error
CVE:	CVE-2007-1576
Remote:	Yes
Local:	No
Published:	Mar 14 2007 12:00AM
Updated:	Jun 20 2007 03:39AM
Credit:	Alexios Fakos is credited with the discovery of these vulnerabilities.
Vulnerable:	PHProjekt PHProjekt 5.2 PHProjekt PHProjekt 5.1.2 PHProjekt PHProjekt 5.1.1 PHProjekt PHProjekt 5.1 Gentoo Linux

Not Vulnerable:

Discussion

PHProjekt Multiple Cross Site Scripting Vulnerabilities

PHProjekt is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.

An attacker can exploit these issues to steal cookie-based authentication credentials and launch other attacks.

PHProjekt 5.2.0 and prior versions are vulnerable to these issues.

Exploit / POC

PHProjekt Multiple Cross Site Scripting Vulnerabilities

To exploit these issues, an attacker must entice an unsuspecting victim into following a malicious URI.

Solution / Fix

PHProjekt Multiple Cross Site Scripting Vulnerabilities

Solution:
The vendor has released version 5.2.1 to address these issues.

PHProjekt PHProjekt 5.1

PHProjekt PHProjekt 5.2.1
http://www.phprojekt.com/download/phprojekt.tar.gz

PHProjekt PHProjekt 5.1.1

PHProjekt PHProjekt 5.2.1
http://www.phprojekt.com/download/phprojekt.tar.gz

PHProjekt PHProjekt 5.1.2

PHProjekt PHProjekt 5.2.1
http://www.phprojekt.com/download/phprojekt.tar.gz

PHProjekt PHProjekt 5.2

PHProjekt PHProjekt 5.2.1
http://www.phprojekt.com/download/phprojekt.tar.gz

References

PHProjekt Multiple Cross Site Scripting Vulnerabilities

References:

n.runs-SA-2007.004 Cross Site Scripting and Filter Evasion PHProjekt 5.2.0 (n.runs AG)
PHProjekt Homepage (PHProjekt Team)