Whois.Cart profile.php page Variable Arbitrary Script Insertion

2005-06-22T12:12:18
ID OSVDB:17459
Type osvdb
Reporter Elzar Stuffenbach(sanisoft@linuxmail.org)
Modified 2005-06-22T12:12:18

Description

Vulnerability Description

Whois.Cart has been reported to contain a flaw that would allow a remote attacker to inject arbitrary script code in the 'page' parameter of the profile.php script. Subsequent testing and evaluation along with vendor provided source code indicates that input appears to be properly sanitized before being passed to the profile.php script.

Solution Description

The vulnerability reported is incorrect. No solution required.

Short Description

Whois.Cart has been reported to contain a flaw that would allow a remote attacker to inject arbitrary script code in the 'page' parameter of the profile.php script. Subsequent testing and evaluation along with vendor provided source code indicates that input appears to be properly sanitized before being passed to the profile.php script.

Manual Testing Notes

http://[victim]/whoiscart/profile.php?page=INSERT_JAVASCRIPT_HERE

References:

Vendor URL: http://www.whoiscart.net/ Security Tracker: 1014272 Secunia Advisory ID:15783 Related OSVDB ID: 17460 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-06/0304.html