IPB Riverdark RSS Syndicator rss.php Multiple Variable XSS

2005-09-26T12:15:05
ID OSVDB:19664
Type osvdb
Reporter X1ngBox(X1ngBox@gmail.com)
Modified 2005-09-26T12:15:05

Description

Vulnerability Description

Riverdark RSS Syndicator contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "forum" or "topic" parameters upon submission to the "rss.php" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Riverdark RSS Syndicator contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "forum" or "topic" parameters upon submission to the "rss.php" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

References:

Vendor URL: http://mods.invisionize.com/db/index.php/f/3405 Security Tracker: 1014969 Secunia Advisory ID:16934 CVE-2005-3085