Fuzzylime Low.PHP Cross Site Scripting Vulnerability
TITLE: Fuzzylime Low.PHP Cross Site Scripting Vulnerability
CLASS: Input Validation Error
CVE:
REMOTE: Yes
LOCAL: No
PUBLISHED: Jun 18 2007 12:00AM
UPDATE: Jun 18 2007 12:00AM
CREDIT: rm is credited with discovering this vulnerability.
VULNERABLE:
Fuzzy Lime Fuzzy Lime Forum 1.01BNOT VULNERABLE:
Fuzzy Lime Fuzzy Lime Forum 1.0
Fuzzy Lime Fuzzy Lime Forum 1.01c
Vai alla pagina originale su Security Focus
Discussion
Fuzzylime is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
Exploiting this vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
Fuzzylime 1.01b and prior versions are vulnerable to this issue.
Exploit
To exploit this issue, an attacker must entice an unsuspecting victim into following a malicious URI.
The following proof-of-concept URI is available:
Solution
Solution:
The vendor released Fuzzylime 1.01c to address this issue. Please see the references for more information.
Fuzzy Lime Fuzzy Lime Forum 1.0
- Fuzzy Lime v1.01c
http://forum.fuzzylime.co.uk/files/forum.zip
Fuzzy Lime Fuzzy Lime Forum 1.01B
- Fuzzy Lime v1.01c
http://forum.fuzzylime.co.uk/files/forum.zip
References
References:
- FuzzyLime Homepage (FuzzyLime)
- fuzzylime (forum) XSS ( rm)