Cross Site Scripting In PsychoStats 2.2.4 Beta && Earlier

2004-12-24T00:00:00
ID SECURITYVULNS:DOC:7440
Type securityvulns
Reporter Securityvulns
Modified 2004-12-24T00:00:00

Description

GulfTech Security Research December 22nd, 2004

Vendor : Jason Morriss

URL : http://www.psychostats.com/

Version : PsychoStats 2.2.4 Beta && Earlier

Risk : Cross Site Scripting

Description: PsychoStats is a statistics generator for games. Currently there is support for a handful of Half-Life "MODs" including Counter-Strike, Day of Defeat, and Natural Selection. PsychoStats gathers statistics from the log files that game servers create by reading through the logs and then calculating detailed statistics for players, maps, weapons and clans. These detailed statistics are stored in a MySQL database which are then viewed online from your website using a set of PHP web pages.

Cross Site Scripting: Cross site scripting exists in Jason Morriss PsychoStats. This vulnerability

exists due to user supplied input not being checked properly. Below is an example.

http://www.example.com/stats/login.php?login=[XSS]

This vulnerability could be used to steal cookie based authentication credentials within the scope of the current domain, or render hostile code in a victim's browser.

Solution: The vendor was contacted, responded very promptly and said he will be addressing the issue soon and has released an updated version of the software.

http://www.psychostats.com/forums/viewtopic.php?t=11022

You can find directions on how to install the patch at the link listed above. Users should upgrade as soon as they can.

Related Info: The original advisory can be found at the following location http://www.gulftech.org/?node=research&article_id=00057-12222004

Credits: James Bercegay of the GulfTech Security Research Team

-- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.296 / Virus Database: 265.6.4 - Release Date: 12/22/2004