Oxwall 1.1.1 Cross Site Scripting

2012-02-22T00:00:00
ID PACKETSTORM:110046
Type packetstorm
Reporter Ariko-Security
Modified 2012-02-22T00:00:00

Description

                                        
                                            `  
Our addition to yesterday YGn advisory:  
  
  
# CVE-2012-0872  
  
============ { Ariko-Security - Advisory #2/2/2012 } =============  
  
OxWall Cross-site scripting (XSS)  
  
  
Vendor's description of software and download:  
# Oxwall Foundation http://www.oxwall.org/  
  
Dork:  
# N/a  
  
Application Info:  
#OxWall 1.1.1  
  
  
Vulnerability Info:  
# Type: XSS   
  
Time Table:  
# 13/02/2012 - Vendor notified  
  
  
XSS:  
#Input passed to the "plugin" parameter in index.php is not properly sanitised before being returned to the user.  
  
Solution:  
# Input validation of vulnerable parameters should be corrected.  
  
POC:  
  
http://site/ow_updates/?plugin=%27%22%28%29%26%251%3CScRiPt%20%3Eprompt%28982087%29%3C%2fScRiPt%3E  
  
advisory:  
http://advisories.ariko-security.com/2012/audyt_bezpieczenstwa_2m2.html  
  
Credit:  
# Discoverd By: Ariko-Security 2012  
  
Ariko-Security  
Rynek Glowny 12  
32-600 Oswiecim  
tel:. +48 33 4741511 mobile: +48 784086818  
(Mo-Fr 10.00-20.00 CET)  
  
Ariko-Security Sp. z o.o. z siedzib± w O¶wiêcimiu , zarejestrowana przez S±d Rejonowy dla m. Krakowa-¦ródmie¶cia, XII Wydzia³ Gospodarczy Krajowego Rejestru S±dowego, KRS: 00000358273, NIP: 549-239-90-67, REGON 121262172  
  
  
  
  
  
  
  
  
`