PHPKIT Guestbook Homepage Field XSS

2005-11-07T11:27:18
ID OSVDB:20559
Type osvdb
Reporter Stefan Walk(), Johann-Peter Hartmann(hartmann@freecharts.de), Christopher Kunz(christopher.kunz@hardened-php.net), Stefan Esser(sesser@hardened-php.net)
Modified 2005-11-07T11:27:18

Description

Vulnerability Description

PHPKIT contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "Homepage" variable upon submission to the guestbook scripts. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

PHPKIT contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "Homepage" variable upon submission to the guestbook scripts. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

References:

Security Tracker: 1015167 Secunia Advisory ID:17479 Related OSVDB ID: 20556 Related OSVDB ID: 20560 Related OSVDB ID: 20561 Related OSVDB ID: 20562 Related OSVDB ID: 20553 Related OSVDB ID: 20554 Related OSVDB ID: 20558 Related OSVDB ID: 20563 Related OSVDB ID: 20555 Related OSVDB ID: 20557 Other Advisory URL: http://www.hardened-php.net/advisory_212005.80.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0182.html