access2asp contactsList.asp Multiple Variable XSS

2007-06-22T12:22:38
ID OSVDB:37751
Type osvdb
Reporter r0t(krustevs@googlemail.com)
Modified 2007-06-22T12:22:38

Description

Vulnerability Description

access2asp contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'od' and 'search' variables upon submission to the contactsList.asp script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

access2asp contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'od' and 'search' variables upon submission to the contactsList.asp script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

References:

Vendor URL: http://www.access2asp.com/ Secunia Advisory ID:25807 Related OSVDB ID: 37750 Other Advisory URL: http://pridels-team.blogspot.com/2007/06/access2asp-xss-vuln.html ISS X-Force ID: 35025 FrSIRT Advisory: ADV-2007-2371 CVE-2007-3414