Zomplog detail.php name Variable XSS

2005-10-20T06:59:10
ID OSVDB:20253
Type osvdb
Reporter Brian Walter(bipicciuti@hotmail.com)
Modified 2005-10-20T06:59:10

Description

Vulnerability Description

Zomplog contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'name' variable upon submission to the 'detail.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Zomplog contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'name' variable upon submission to the 'detail.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Manual Testing Notes

/detail.php?name=[XSS]

References:

Vendor URL: http://zomplog.zomp.nl Security Tracker: 1015088 Secunia Advisory ID:17306 Related OSVDB ID: 20251 Related OSVDB ID: 20250 Related OSVDB ID: 20252 Related OSVDB ID: 20254 Related OSVDB ID: 20255 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-10/0277.html Keyword: Nightmare TeAmZ Advisory 011 ISS X-Force ID: 22828 CVE-2005-3308 Bugtraq ID: 15168