AOH :: HP Unsorted B :: C07-1040.HTM

b2evolution XSS Vulnerabilities



b2evolution XSS Vulnerabilities
b2evolution XSS Vulnerabilities



_________________________________________
Security Advisory
_________________________________________
_________________________________________

  Severity: Medium
  Title: b2evolution XSS Vulnerability
  Date: 28.11.06
  Author: tarkus (tarkus (at) tiifp (dot) org)
  Web: https://tiifp.org/tarkus
Vendor: b2evolution (http://b2evolution.net/) 
  Affected Product(s): b2evolution 1.8.2 - 1.9 beta
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Description:
------------

http:////inc/VIEW/errors/_404_not_found.page.php?bas \ 
eurl=[XSS]&app_name=[XSS]

http:////inc/VIEW/errors/_410_stats_gone.page.php?ap \ 
p_name=[XSS]

http:////inc/VIEW/errors/_referer_spam.page.php?ReqU \ 
RI=[XSS]&app_name=[XSS]



Workaround:
-----------

Put the following line at the beginning of the files.

if( !defined('EVO_MAIN_INIT') ) die( 'Please, do not access this page \
directly.' );



Timeline:
---------

Reported to Vendor:     10.11.06
Vendor response:        10.11.06
Patch in CVS:           10.11.06

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.