Xcomputer Search.asp EXPS Variable XSS

2007-12-15T00:00:00
ID OSVDB:40166
Type osvdb
Reporter OSVDB
Modified 2007-12-15T00:00:00

Description

Vulnerability Description

Xcomputer contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'EXPS' variables upon submission to the 'Search.asp' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Manual Testing Notes

http://[target]/Search.asp?EXPS=[XSS]

References:

Other Advisory URL: http://securityreason.com/securityalert/3239 ISS X-Force ID: 37217 CVE-2007-5479