All In One Control Panel CP_Dpage.PHP Cross-Site Scripting Vulnerability
TITLE: All In One Control Panel CP_Dpage.PHP Cross-Site Scripting Vulnerability
CLASS: Input Validation Error
CVE:
REMOTE: Yes
LOCAL: No
PUBLISHED: Jun 06 2007 12:00AM
UPDATE: Jun 06 2007 12:00AM
CREDIT: The vendor reported this issue.
VULNERABLE:
Tecnick All In One Control Panel 1.3.16NOT VULNERABLE:
Tecnick All In One Control Panel 1.3.15
Tecnick All In One Control Panel 1.3.14
Tecnick All In One Control Panel 1.3.13
Tecnick All In One Control Panel 1.3.17
Vai alla pagina originale su Security Focus
Discussion
All In One Control Panel is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
This issue affects versions prior to 1.3.017.
Exploit
An attacker can exploit this issue by enticing an unsuspecting user to follow a malicious URI.
Solution
Solution:
The vendor released an update to address this issue. Please see the references for more information.
Tecnick All In One Control Panel 1.3.13
- Tecnick aiocp_1_3_017.zip
http://downloads.sourceforge.net/aiocp/aiocp_1_3_017.zip?modtime=1181148813&big_mirror=0
Tecnick All In One Control Panel 1.3.14
- Tecnick aiocp_1_3_017.zip
http://downloads.sourceforge.net/aiocp/aiocp_1_3_017.zip?modtime=1181148813&big_mirror=0
Tecnick All In One Control Panel 1.3.15
- Tecnick aiocp_1_3_017.zip
http://downloads.sourceforge.net/aiocp/aiocp_1_3_017.zip?modtime=1181148813&big_mirror=0
Tecnick All In One Control Panel 1.3.16
- Tecnick aiocp_1_3_017.zip
http://downloads.sourceforge.net/aiocp/aiocp_1_3_017.zip?modtime=1181148813&big_mirror=0
References
References:
- All In One Control Panel Homepage (Tecnick )
- Notes and Changelog AIOCP 1.3.017 (Tecnick)