phpCodeCabinet (phpCC) facade/header.php Script Injection

2004-02-04T06:28:20
ID OSVDB:16710
Type osvdb
Reporter OSVDB
Modified 2004-02-04T06:28:20

Description

Vulnerability Description

phpCodeCabinet contains flaws that allows remote cross site scripting attacks. This flaw exists because the application does not validate unspecified variables upon submission to the themes/facade/header.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Upgrade to version 0.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

phpCodeCabinet contains flaws that allows remote cross site scripting attacks. This flaw exists because the application does not validate unspecified variables upon submission to the themes/facade/header.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

References:

Vendor URL: http://phpcc.mtsdev.com/ Vendor Specific News/Changelog Entry: http://sourceforge.net/project/shownotes.php?release_id=214860 Secunia Advisory ID:10862 Related OSVDB ID: 16711 Related OSVDB ID: 3920 ISS X-Force ID: 15190 CVE-2004-2085 Bugtraq ID: 9645 Bugtraq ID: 9601