AzDGDatingPlatinum view.php id Variable XSS

2005-04-09T00:00:12
ID OSVDB:15526
Type osvdb
Reporter kre0n(kre0n@mail.ru)
Modified 2005-04-09T00:00:12

Description

Vulnerability Description

AzDGDatingPlatinum contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'id' variable upon submission to the view.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

AzDGDatingPlatinum contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'id' variable upon submission to the view.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Manual Testing Notes

http://[victim]/[path]/view.php?l=default&id=3%3Cscript%3Ealert();%3C/script%3E

References:

Vendor URL: http://www.azdg.com/ Related OSVDB ID: 15524 Related OSVDB ID: 15525 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-04/0143.html CVE-2005-1081