Active Business Directory 2.0 XSS

2009.12.31
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


Ogólna skala CVSS: 4.3/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 8.6/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Nie wymagana
Wpływ na poufność: Brak
Wpływ na integralność: Częściowy
Wpływ na dostępność: Brak

# Author: Andrea Bocchetti # Contact: flashcreazione@gmail.com # Homepage : www.geekit.it // Software Info # Name : activebusinessdirectory # Version : v 2 # Price : $499.00 USD This script is possibly vulnerable to Cross Site Scripting (XSS) attacks. Input passed via the "search" parameter to search.asp is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session on context of an affected site. POC http://name.com/demoactivebusinessdirectory/searchadvance.asp? <= xss Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. How to fix this vulnerability : Script should filter metacharacters from user input.

Referencje:

http://xforce.iss.net/xforce/xfdb/55010
http://www.packetstormsecurity.org/0912-exploits/abd-xss.txt
http://secunia.com/advisories/37863
http://osvdb.org/61267


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top