ASPapp ProjectApp XSS

2003-12-18T00:00:00
ID OSVDB:3401
Type osvdb
Reporter OSVDB
Modified 2003-12-18T00:00:00

Description

Vulnerability Description

ProjectApp contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "msg" variable upon submission. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Technical Description

An example of this vulnerability is:

default.asp?msg=%3Ciframe%3E

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue. The vendor has committed to releasing a patch.

Short Description

ProjectApp contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "msg" variable upon submission. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

References:

Vendor URL: http://www.aspapp.com/apps/products.asp?catid=66&prodid=portalapp Secunia Advisory ID:10465 Related OSVDB ID: 3125 Related OSVDB ID: 3400 Other Advisory URL: http://archives.neohapsis.com/archives/sans/2003/0180.html Other Advisory URL: http://www.gulftech.org/12182003.php Other Advisory URL: http://archives.neohapsis.com/archives/bugtraq/2003-12/0274.html ISS X-Force ID: 14041 Bugtraq ID: 9250