Train
PDA

توجه ! این یک نسخه آرشیو شده میباشد و در این حالت شما عکسی را مشاهده نمیکنید برای مشاهده کامل متن و عکسها بر روی لینک مقابل کلیک کنید : OpenAutoClassifieds "listing" Parameter Cross-Site Scripting

NI3
11-05-2003, 11:35 AM
TITLE:
OpenAutoClassifieds "listing" Parameter Cross-Site Scripting
Vulnerability

SECUNIA ADVISORY ID:
SA10138

VERIFY ADVISORY:
[Only registered and activated users can see links]

CRITICAL:
Less critical

IMPACT:
Cross Site Scripting

WHERE:
From remote

SOFTWARE:
OpenAutoClassifieds 1.x

DESCRIPTION:
A vulnerability has been identified in OpenAutoClassifieds, which can
be exploited by malicious people to conduct Cross-Site Scripting
attacks.

The vulnerabily is caused due to missing validation of input supplied
to the "listing" parameter in "friendmail.php". This can be exploited
by including arbitrary HTML or script code in the parameter, which
will cause it to be executed in a user's browser session when
viewed.

Example:
[Only registered and activated users can see links][victim]/openautoclassifieds/friendmail.php?listing=<script>alert(document.domain);</script>

The vulnerability has been confirmed in version 1.0.

SOLUTION:
****** malicious input in a HTTP ***** or firewall with URL filtering
capabilities.

Edit the source code to ensure that user input is properly validated.

REPORTED BY / CREDITS:
David Sopas Ferreira, SystemSecure.org.

----------------------------------------------------------------------