BID:23790

All In One Control Panel CP_Config.PHP Cross-Site Scripting Vulnerability

Info

All In One Control Panel CP_Config.PHP Cross-Site Scripting Vulnerability

Bugtraq ID:	23790
Class:	Input Validation Error
CVE:	CVE-2007-2624
Remote:	Yes
Local:	No
Published:	May 03 2007 12:00AM
Updated:	May 07 2015 05:39PM
Credit:	The vendor reported this issue.
Vulnerable:	Tecnick All In One Control Panel 1.3.15 Tecnick All In One Control Panel 1.3.14 Tecnick All In One Control Panel 1.3.13

Not Vulnerable:	Tecnick All In One Control Panel 1.3.16

Discussion

All In One Control Panel CP_Config.PHP Cross-Site Scripting Vulnerability

All In One Control Panel is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

This issue affects versions prior to 1.3.016.

Exploit / POC

All In One Control Panel CP_Config.PHP Cross-Site Scripting Vulnerability

An attacker can exploit this issue by enticing an unsuspecting user to follow a malicious URI.

Solution / Fix

All In One Control Panel CP_Config.PHP Cross-Site Scripting Vulnerability

Solution:
The vendor released an update to address this issue. Please see the references for more information.

References

All In One Control Panel CP_Config.PHP Cross-Site Scripting Vulnerability

References:

All In One Control Panel Homepage (Tecnick )
All in One Control Panel Release Notes Version 1.3.016 (Tecnick )