Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: bt1651.txt

OpenAutoClassifieds XSS attack







 Critical: Less critical  

 Impact: Cross Site Scripting  

 Where: From remote  

 Software: OpenAutoClassifieds 1.x  

Vendor: http://jonroig.com/freecode/openautoclassifieds/ 

  

 Description:  

 A vulnerability has been identified in 

OpenAutoClassifieds, which can be exploited by malicious 

people to conduct Cross-Site Scripting attacks.  

  

 The vulnerabily is caused due to missing validation of 

input supplied to the "listing" parameter in "friendmail.php". 

This can be exploited by including arbitrary HTML or script 

code in the parameter, which will cause it to be executed in 

a user's browser session when viewed.  

  

 Example:  

 

http://[victim]/openautoclassifieds/friendmail.php?listing=<script>alert(document.domain);</script>  

  

 The vulnerability has been confirmed in version 1.0.  

  

 Solution:  

 Filter malicious input in a HTTP proxy or firewall with URL 

filtering capabilities.  

  

 Edit the source code to ensure that user input is properly 

validated.  

 

 Reported by / credits:  

 David Sopas Ferreira, SystemSecure.org.  

  


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH