ExpressionEngine-1.4.1.txt

2006-01-26T00:00:00
ID PACKETSTORM:43401
Type packetstorm
Reporter Aliaksandr Hartsuyeu
Modified 2006-01-26T00:00:00

Description

                                        
                                            `New eVuln Advisory:  
ExpressionEngine 'Referer' XSS Vulnerability  
http://evuln.com/vulns/48/summary.html  
  
--------------------Summary----------------  
  
Software: ExpressionEngine  
Sowtware's Web Site: http://www.pmachine.com  
Versions: 1.4.1  
Critical Level: Moderate  
Type: Cross-Site Scripting  
Class: Remote  
Status: Unpatched  
Exploit: Available  
Solution: Not Available  
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)  
eVuln ID: EV0048  
  
-----------------Description---------------  
Vulnerable script: core.input.php  
  
Variable $_SERVER['HTTP_REFERER'] isn't properly sanitized. This can be used to post HTTP query with fake Referer value which may contain arbitrary html or script code. This code will be executed when administrator(or any user) will open Referrers Statistics.  
  
Administrator's session is threatened.  
  
  
--------------Exploit----------------------  
Available at: http://evuln.com/vulns/48/exploit.html  
  
GET /path/index.php HTTP/1.0  
Host: host  
Referer: http://<XSS>.com/;  
  
  
--------------Solution---------------------  
No Patch available.  
  
--------------Credit-----------------------  
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)  
`