ArbitroWeb PHP Proxy 0.5/0.6 Cross-Site Scripting Vulnerability

2014-07-01T00:00:00
ID SSV:77964
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

No description provided by source.

                                        
                                            
                                                source: http://www.securityfocus.com/bid/10592/info

It is reported that ArbitroWeb is susceptible to a cross-site scripting vulnerability in its rawURL URI parameter.

The URI parameter passed to 'index.php' called 'rawURL' contains the desired target for the proxy to connect to. This parameter is improperly sanitized, and may be used in a cross-site scripting attack.

An attacker may craft a URI that contains malicious HTML or script code. If a victim user follows this link, the HTML contained in the affected URI parameter will be executed in the context of the vulnerable site.

The attacker could use this vulnerability to steal cookie-based authentication credentials, or perform other types of attacks. 

http://www.example.com/?rawURL=<script>javascript:alert();</script>