BID:30676

Freeway Multiple Input Validation Vulnerabilities

Info

Freeway Multiple Input Validation Vulnerabilities

Bugtraq ID:	30676
Class:	Input Validation Error
CVE:	CVE-2008-3677
Remote:	Yes
Local:	No
Published:	Aug 13 2008 12:00AM
Updated:	May 07 2015 05:24PM
Credit:	Digital Security Research Group
Vulnerable:	Freeway Project Freeway 1.4.1 .171

Not Vulnerable:	Freeway Project Freeway 1.4.2 .197

Discussion

Freeway Multiple Input Validation Vulnerabilities

Freeway is prone to multiple remote file-include and cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

Freeway 1.4.1.171 is affected; other versions may also be vulnerable.

Exploit / POC

Freeway Multiple Input Validation Vulnerabilities

Attackers can exploit the file-include issues via a browser.

To exploit the cross-site scripting issues, an attacker must entice an unsuspecting user into following a malicious URI.

The following examples are available:

/data/vulnerabilities/exploits/30676.html

Solution / Fix

Freeway Multiple Input Validation Vulnerabilities

Solution:
The vendor has addressed these issues in Freeway 1.4.2.197. Please see the references for more information.

Freeway Project Freeway 1.4.1 .171

Freeway Project Freeway 1.4.2.197
http://www.openfreeway.org/download.html

References

Freeway Multiple Input Validation Vulnerabilities

References:

Freeway 1.4.2.197 patch notes (Freeway Project)
Freeway Homepage (Freeway Project)
[DSECRG-08-036] Multiple Security Vulnerabilities in Freeway eCommerce 1.4.1.171 ("Digital Security Research Group \[DSecRG\]" )