ABitWhizzy Multiple Cross Site Scripting And Directory Traversal Vulnerabilities

Bugtraq ID:	23167
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Mar 14 2007 12:00AM
Updated:	Mar 27 2007 09:53PM
Credit:	Lostmon is credited with the discovery of these vulnerabilities.
Vulnerable:	unverse.net aBitWhizzy 0
Not Vulnerable:

ABitWhizzy Multiple Cross Site Scripting And Directory Traversal Vulnerabilities

aBitWhizzy is prone to multiple cross-site scripting and directory-traversal vulnerabilities because the application fails to sufficiently sanitize user-supplied input.

An attacker could exploit these vulnerabilities to view the directory structure on the affected webserver and perform cross-site scripting attacks on unsuspecting users in the context of the affected website. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

ABitWhizzy Multiple Cross Site Scripting And Directory Traversal Vulnerabilities

To exploit a cross-site scripting vulnerability, an attacker must entice an unsuspecting victim into following a malicious URI.

To exploit a directory-traversal vulnerability, an attacker use a browser.

The following proof-of-concept URIs are available:

• /data/vulnerabilities/exploits/23167.html

ABitWhizzy Multiple Cross Site Scripting And Directory Traversal Vulnerabilities

Solution:
Currently we are not aware of any vendor-supplied patches for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].

ABitWhizzy Multiple Cross Site Scripting And Directory Traversal Vulnerabilities

References:

• aBitWhizzy Homepage (Unverse )