Help Center Live Multiple Field Arbitrary Operator Script Injection

2005-05-17T07:11:07
ID OSVDB:16652
Type osvdb
Reporter James Bercegay()
Modified 2005-05-17T07:11:07

Description

Vulnerability Description

Help Center Live contains a flaw that allows a remote script injection attack. This flaw exists because the application does not validate user-supplied input to the name or message fields upon submission to the operator scripts. This could allow a user to create a specially crafted script command that would execute arbitrary code in the operator's browser, leading to a loss of integrity.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Michael Bird has released a patch to address this vulnerability.

Short Description

Help Center Live contains a flaw that allows a remote script injection attack. This flaw exists because the application does not validate user-supplied input to the name or message fields upon submission to the operator scripts. This could allow a user to create a specially crafted script command that would execute arbitrary code in the operator's browser, leading to a loss of integrity.

References:

Vendor URL: http://www.helpcenterlive.com/ Security Tracker: 1013986 Secunia Advisory ID:15401 Related OSVDB ID: 16655 Related OSVDB ID: 16651 Related OSVDB ID: 16657 Related OSVDB ID: 16658 Related OSVDB ID: 16656 Related OSVDB ID: 16653 Related OSVDB ID: 16654 Other Advisory URL: http://www.gulftech.org/?node=research&article_id=00076-05172005 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-05/0214.html CVE-2005-1672