AOH :: HP Unsorted D :: BT-30031.HTM

DataLife Engine referer vulns
Vulnerability in Referer for DataLife Engine
Vulnerability in Referer for DataLife Engine

Hello Bugtraq!

I want to warn you about security vulnerability in Referer module for
DataLife Engine (DLE).

Advisory: Vulnerability in Referer for DataLife Engine
Affected products: Referer (aka "Perehody" on Russian) v.6.9 and previous

29.06.2009 - found vulnerability.
11.02.2010 - announced at my site.
13.02.2010 - informed admin of web site where I found the vulnerability.
15.02.2010 - informed developers of DataLife Engine (at first I thought that
hole existed in DLE, and admin of vulnerable web site didn't answer me and
didn't fix the hole, but DLE developers said that hole is not in their
engine and they didn't know what the module it is).
19.02.2010 - informed developers of the module (after I found that it's
Referer module).
23.04.2010 - disclosed at my site.

This is Cross-Site Scripting vulnerability.


It's persistent XSS vulnerability. Which allows to conduct the attack via
Referer header, in case when immediate links to queries in search engines
are showing at the site.


Best wishes & regards,
Administrator of Websecurity web site 

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH
We do not send spam. If you have received spam bearing an email address, please forward it with full headers to