All In One Control Panel CP_Dpage.PHP Cross-Site Scripting Vulnerability
BID:24357
Info
All In One Control Panel CP_Dpage.PHP Cross-Site Scripting Vulnerability
| Bugtraq ID: | 24357 |
| Class: | Input Validation Error |
| CVE: |
CVE-2007-3120 |
| Remote: | Yes |
| Local: | No |
| Published: | Jun 06 2007 12:00AM |
| Updated: | May 07 2015 05:37PM |
| Credit: | The vendor reported this issue. |
| Vulnerable: |
Tecnick All In One Control Panel 1.3.16 Tecnick All In One Control Panel 1.3.15 Tecnick All In One Control Panel 1.3.14 Tecnick All In One Control Panel 1.3.13 |
| Not Vulnerable: |
Tecnick All In One Control Panel 1.3.17 |
Discussion
All In One Control Panel CP_Dpage.PHP Cross-Site Scripting Vulnerability
All In One Control Panel is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
This issue affects versions prior to All In One Control Panel 1.3.017.
All In One Control Panel is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
This issue affects versions prior to All In One Control Panel 1.3.017.
Exploit / POC
All In One Control Panel CP_Dpage.PHP Cross-Site Scripting Vulnerability
An attacker can exploit this issue by enticing an unsuspecting user to follow a malicious URI.
An attacker can exploit this issue by enticing an unsuspecting user to follow a malicious URI.
Solution / Fix
All In One Control Panel CP_Dpage.PHP Cross-Site Scripting Vulnerability
Solution:
The vendor released an update to address this issue. Please see the references for more information.
Tecnick All In One Control Panel 1.3.13
Tecnick All In One Control Panel 1.3.14
Tecnick All In One Control Panel 1.3.15
Tecnick All In One Control Panel 1.3.16
Solution:
The vendor released an update to address this issue. Please see the references for more information.
Tecnick All In One Control Panel 1.3.13
-
Tecnick aiocp_1_3_017.zip
http://downloads.sourceforge.net/aiocp/aiocp_1_3_017.zip?modtime=11811 48813&big_mirror=0
Tecnick All In One Control Panel 1.3.14
-
Tecnick aiocp_1_3_017.zip
http://downloads.sourceforge.net/aiocp/aiocp_1_3_017.zip?modtime=11811 48813&big_mirror=0
Tecnick All In One Control Panel 1.3.15
-
Tecnick aiocp_1_3_017.zip
http://downloads.sourceforge.net/aiocp/aiocp_1_3_017.zip?modtime=11811 48813&big_mirror=0
Tecnick All In One Control Panel 1.3.16
-
Tecnick aiocp_1_3_017.zip
http://downloads.sourceforge.net/aiocp/aiocp_1_3_017.zip?modtime=11811 48813&big_mirror=0
References
All In One Control Panel CP_Dpage.PHP Cross-Site Scripting Vulnerability
References:
References:
- All In One Control Panel Homepage (Tecnick )
- Notes and Changelog AIOCP 1.3.017 (Tecnick)