Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Xplico 0.5.7 (add.ctp) Remote XSS Vulnerability

🗓️ 02 Jul 2010 00:00:00Reported by Maximiliano Soler and Marcos GarciaType 
zeroscience
 zeroscience🔗 www.zeroscience.mk👁 13 Views

Xplico 0.5.7 Remote XSS Vulnerability allows remote attackers to inject code into web pages. Impact rating (3/5)

Code
<html><body><p>Xplico v0.5.7 (add.ctp) Remote XSS Vulnerability

Title: Xplico v0.5.7 (add.ctp) Remote XSS Vulnerability
Type: Remote
Impact: Cross-Site Scripting
Release Date: 02.07.2010
Release mode: Coordinated release


Summary
=======

The goal of Xplico is extract from an internet traffic capture the applications
data contained. For example, from a pcap file Xplico extracts each email (POP, IMAP,
and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on.
Xplico isn�t a network protocol analyzer. Xplico is an open source Network Forensic
Analysis Tool (NFAT).



Description
===========

Xplico is vulnerable to Cross-Site Scripting vulnerability. An attacker can use the
"POST" to take advantage of this vulnerability, injecting code into the web pages
viewed by other users.



--------------------------------------------------------------------------------

Detecting vulnerabilities
- /opt/xplico/xi/app/views/pols/add.ctp:13
- /opt/xplico/xi/app/views/pols/add.ctp:14
- /opt/xplico/xi/app/views/sols/add.ctp:10

--------------------------------------------------------------------------------



Vendor
======

Xplico Team - http://www.xplico.org



Affected Version
================

0.5.7


PoC
===

- /opt/xplico/xi/app/views/pols/add.ctp:13
echo $form-&gt;input('Pol.name',  array('maxlength'=&gt; 50, 'size' =&gt; '50','label' =&gt; 'Case
name&amp;nbsp&amp;nbsp&amp;nbsp&amp;nbsp&amp;nbsp&amp;nbsp&amp;nbsp&amp;nbsp&amp;nbsp&amp;nbsp&amp;nbsp&amp;nbsp'));


Attack: Case name=[XSS] (POST)


Credits
=======

Vulnerability discovered by Marcos Garcia (@artsweb) and Maximiliano Soler (@maxisoler).


Solution
========

Upgrade to Xplico v0.5.8 (http://sourceforge.net/projects/xplico/files/)


Vendor Status
=============
[22.06.2010] Vulnerability discovered.
[22.06.2010] Vendor informed.
[22.06.2010] Vendor replied.
[24.06.2010] Asked vendor for confirmation.
[24.06.2010] Vendor confirms vulnerability.
[24.06.2010] Asked vendor for status.
[24.06.2010] Vendor replied.
[29.06.2010] Vendor reveals patch release date.
[29.06.2010] Coordinated public advisory.


References
==========

[1] http://www.xplico.org/archives/710


Changelog
=========

[02.07.2010] - Initial release


Web: http://www.zeroscience.mk
e-mail: [email protected] </p></body></html>

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Jul 2010 00:00Current
5.9Medium risk
Vulners AI Score5.9
xplico 0.5.7remote xssvulnerabilitycross-site scriptingxplico teamgnu/linux debianapachezero science lab
13