phpWebSite Notes Module Multiple Field Script Injection

2004-08-31T00:00:00
ID OSVDB:9446
Type osvdb
Reporter James Bercegay()
Modified 2004-08-31T00:00:00

Description

Vulnerability Description

phpWebSite contains a flaw that may allow a malicious user to execute arbitrary scripts within a user's browser. The issue is triggered when a malicious user sends specially crafted scripts via the 'subject' and 'message' fields within the notes module. It is possible that the flaw may allow the execution of the script within the users browser in the context of the affected phpWebSite while accessing the notes module, resulting in a loss of integrity.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, phpWebSite developers have released a patch to address this vulnerability.

Short Description

phpWebSite contains a flaw that may allow a malicious user to execute arbitrary scripts within a user's browser. The issue is triggered when a malicious user sends specially crafted scripts via the 'subject' and 'message' fields within the notes module. It is possible that the flaw may allow the execution of the script within the users browser in the context of the affected phpWebSite while accessing the notes module, resulting in a loss of integrity.

References:

Vendor URL: http://phpwebsite.appstate.edu/ Vendor Specific Advisory URL Security Tracker: 1011120 Secunia Advisory ID:12438 Related OSVDB ID: 9445 Related OSVDB ID: 9444 Related OSVDB ID: 9447 Other Advisory URL: http://www.gulftech.org/?node=research&article_id=00048-08312004 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-09/0008.html CVE-2004-1655