Whois.Cart admin/domain_add.php Domain Name XSS

2005-08-04T18:56:45
ID OSVDB:18533
Type osvdb
Reporter security curmudgeon(jericho@attrition.org)
Modified 2005-08-04T18:56:45

Description

Vulnerability Description

Whois.Cart contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'Domain Name' field upon submission to the admin/domain_add.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Technical Description

An attacker must supply valid authentication credentials in order to exploit this vulnerability.

Solution Description

Upgrade to version 2.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Whois.Cart contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'Domain Name' field upon submission to the admin/domain_add.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

References:

Vendor URL: http://whoiscart.net/ Related OSVDB ID: 18534 Related OSVDB ID: 18536 Related OSVDB ID: 18535 Other Advisory URL: http://osvdb.org/ref/18/1853x-whois_cart-xss.txt