RunCMS ratefile.php lid Variable XSS

2006-02-22T04:47:40
ID OSVDB:23388
Type osvdb
Reporter roozbeh afrasiabi(roozbeh_afrasiabi@yahoo.com)
Modified 2006-02-22T04:47:40

Description

Vulnerability Description

RunCMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'lid' variable upon submission to the 'ratefile.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

RunCMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'lid' variable upon submission to the 'ratefile.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Manual Testing Notes

http://[target]/public/modules/downloads/ratefile.php?lid={number}">[code]

References:

Security Tracker: 1015663 Secunia Advisory ID:18997 Other Advisory URL: http://kapda.ir/advisory-267.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-02/0596.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-02/0401.html FrSIRT Advisory: ADV-2006-0694 CVE-2006-0875 Bugtraq ID: 16769