Owl Intranet Engine 'register.php' Cross Site Scripting Vulnerability

Bugtraq ID:	30410
Class:	Input Validation Error
CVE:	CVE-2008-3100
Remote:	Yes
Local:	No
Published:	Jul 28 2008 12:00AM
Updated:	Jul 28 2008 11:07PM
Credit:	Fabian Fingerle
Vulnerable:	Owl Owl Intranet Engine 0.95
Not Vulnerable:

Owl Intranet Engine 'register.php' Cross Site Scripting Vulnerability

Owl Intranet Engine is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

Owl Intranet Engine 0.95 is vulnerable; prior versions may also be affected.

Owl Intranet Engine 'register.php' Cross Site Scripting Vulnerability

Attackers can exploit this issue by enticing an unsuspecting victim into following a malicious URI.

The following example URI is available:

• /data/vulnerabilities/exploits/30410.html

Owl Intranet Engine 'register.php' Cross Site Scripting Vulnerability

Solution:
The vendor has released a patch. Please see the references for more information.


Owl Owl Intranet Engine 0.95

• Owl owl.lib.php
  http://owl.cvs.sourceforge.net/*checkout*/owl/owl-0.90/lib/owl.lib.php

Owl Intranet Engine 'register.php' Cross Site Scripting Vulnerability

References:

• Owl Intranet Engine Homepage (Owl)
  
• Cross Site Scripting (XSS) in Owl <=0.95, CVE-2008-3100 (Fabian Fingerle )