Xajax Unspecified Cross-Site Scripting Vulnerability

Bugtraq ID:	24006
Class:	Input Validation Error
CVE:	CVE-2007-2739
Remote:	Yes
Local:	No
Published:	May 16 2007 12:00AM
Updated:	Dec 31 2008 06:31PM
Credit:	The vendor reported this vulnerability.
Vulnerable:	Xajax Xajax 0.2.4 Debian Linux 4.0 sparc Debian Linux 4.0 s/390 Debian Linux 4.0 powerpc Debian Linux 4.0 mipsel Debian Linux 4.0 mips Debian Linux 4.0 m68k Debian Linux 4.0 ia-64 Debian Linux 4.0 ia-32 Debian Linux 4.0 hppa Debian Linux 4.0 arm Debian Linux 4.0 amd64 Debian Linux 4.0 alpha Debian Linux 4.0
Not Vulnerable:	Xajax Xajax 0.2.5

Xajax Unspecified Cross-Site Scripting Vulnerability

Xajax is prone to an unspecified cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

This issue affects versions prior to Xajax 0.2.5.

Xajax Unspecified Cross-Site Scripting Vulnerability

An attacker can exploit this issue by enticing an unsuspecting user to follow a malicious URI.

Xajax Unspecified Cross-Site Scripting Vulnerability

Solution:
The vendor has released fixes to address this issue; please see the references for details.


Debian Linux 4.0

• Debian php-xajax_0.2.4-2+etch1_all.deb
  http://security.debian.org/pool/updates/main/p/php-xajax/php-xajax_0.2 .4-2+etch1_all.deb

Debian Linux 4.0 amd64

• Debian php-xajax_0.2.4-2+etch1_all.deb
  http://security.debian.org/pool/updates/main/p/php-xajax/php-xajax_0.2 .4-2+etch1_all.deb

Debian Linux 4.0 mipsel

• Debian php-xajax_0.2.4-2+etch1_all.deb
  http://security.debian.org/pool/updates/main/p/php-xajax/php-xajax_0.2 .4-2+etch1_all.deb

Debian Linux 4.0 ia-32

• Debian php-xajax_0.2.4-2+etch1_all.deb
  http://security.debian.org/pool/updates/main/p/php-xajax/php-xajax_0.2 .4-2+etch1_all.deb

Debian Linux 4.0 arm

• Debian php-xajax_0.2.4-2+etch1_all.deb
  http://security.debian.org/pool/updates/main/p/php-xajax/php-xajax_0.2 .4-2+etch1_all.deb

Debian Linux 4.0 hppa

• Debian php-xajax_0.2.4-2+etch1_all.deb
  http://security.debian.org/pool/updates/main/p/php-xajax/php-xajax_0.2 .4-2+etch1_all.deb

Debian Linux 4.0 sparc

• Debian php-xajax_0.2.4-2+etch1_all.deb
  http://security.debian.org/pool/updates/main/p/php-xajax/php-xajax_0.2 .4-2+etch1_all.deb

Debian Linux 4.0 s/390

• Debian php-xajax_0.2.4-2+etch1_all.deb
  http://security.debian.org/pool/updates/main/p/php-xajax/php-xajax_0.2 .4-2+etch1_all.deb

Debian Linux 4.0 powerpc

• Debian php-xajax_0.2.4-2+etch1_all.deb
  http://security.debian.org/pool/updates/main/p/php-xajax/php-xajax_0.2 .4-2+etch1_all.deb

Debian Linux 4.0 alpha

• Debian php-xajax_0.2.4-2+etch1_all.deb
  http://security.debian.org/pool/updates/main/p/php-xajax/php-xajax_0.2 .4-2+etch1_all.deb

Debian Linux 4.0 ia-64

• Debian php-xajax_0.2.4-2+etch1_all.deb
  http://security.debian.org/pool/updates/main/p/php-xajax/php-xajax_0.2 .4-2+etch1_all.deb

Debian Linux 4.0 mips

• Debian php-xajax_0.2.4-2+etch1_all.deb
  http://security.debian.org/pool/updates/main/p/php-xajax/php-xajax_0.2 .4-2+etch1_all.deb

Debian Linux 4.0 m68k

• Debian php-xajax_0.2.4-2+etch1_all.deb
  http://security.debian.org/pool/updates/main/p/php-xajax/php-xajax_0.2 .4-2+etch1_all.deb

Xajax Xajax 0.2.4

• Xajax Xajax 0.2.5
  http://downloads.sourceforge.net/xajax/xajax_0.2.5.zip?modtime=1179306 276&big_mirror=0

Xajax Unspecified Cross-Site Scripting Vulnerability

References:

• Xajax Homepage (Xajax)
  
• xajax PHP and Javascript library changelog (Xajax)