Buddy Zone delete_event.php XSS
2006-06-30T09:33:59Type osvdb
Reporter luny(luny@youfucktard.com)
Modified 2006-06-30T09:33:59
Description
Vulnerability Description
Buddy Zone contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate form fields upon submission to the delete_event.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Solution Description
Upgrade to version 1.0.1 (2006-07-15) or higher, as it has been reported to fix this vulnerability. Note that this flaw was fixed in the July 15, 2006 release without a change in version number. An upgrade is required as there are no known workarounds.
Short Description
Buddy Zone contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate form fields upon submission to the delete_event.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
References:
Vendor URL: http://www.vastal.com/buddy-zone-social-networking-script.html Secunia Advisory ID:20933 Related OSVDB ID: 26990 Related OSVDB ID: 26986 Related OSVDB ID: 26988 Related OSVDB ID: 26989 Related OSVDB ID: 26993 Related OSVDB ID: 26979 Related OSVDB ID: 26992 Related OSVDB ID: 26987 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0011.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0245.html ISS X-Force ID: 27512 FrSIRT Advisory: ADV-2006-2645 Bugtraq ID: 18759
