Cross Site Scripting Vulnerabilities

Last post 01-22-2009, 8:24 PM by Adam. 1 replies.
Sort Posts: Previous Next
  •  01-22-2009, 1:39 PM 47976

    Cross Site Scripting Vulnerabilities

    I used cute editor for php for my web application.  I ran a security scan for cross site scripting vulnerability on my application.
    It came back that the CuteEditor  (CuteEditor/CuteEditor_Files/Themes/Office2007/style.php) had 17 vulnerabilities.

    Vulnerability description
    This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

    Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.
    This vulnerability affects /webcommon/CuteEditor/CuteEditor_Files/Themes/Office2007/style.php.
     
    The impact of this vulnerability
    Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.
     
    Attack details
    The GET variable EditorID has been set to <iframe/+/onload=alert(401715976428)></iframe>.
    The GET variable EditorID has been set to <script>alert(401285976410)</script>.
    The GET variable EditorID has been set to <ScRiPt%20%0a%0d>alert(401295976410)%3B</ScRiPt>.
    The GET variable EditorID has been set to %3C/xss/*-*/style=xss:e/**/xpression(alert(401685976427))%3E.
     
     
    Any response to this problem is greatly appreciated.
     

  •  01-22-2009, 8:24 PM 47989 in reply to 47976

    Re: Cross Site Scripting Vulnerabilities

    Please email me the details. Adam@cutesoft.net.
     
     
    Also please open CuteEditor/CuteEditor_Files/Themes/Office2007/style.php and check the content of this file. Not sure this file can cause Cross Site Scripting attacks.

    asp.net Chat http://cutesoft.net/ASP.NET+Chat/default.aspx
    Web Messenger: http://cutesoft.net/Web-Messenger/default.aspx
    asp.net wysiwyg editor: http://cutesoft.net/ASP.NET+WYSIWYG+Editor/default.aspx
    asp wysiwyg html editor: http://cutesoft.net/ASP
    asp.net Image Gallery: http://cutesoft.net/ASP.NET+Image+Gallery/default.aspx
    Live Support: http://cutesoft.net/live-support/default.aspx

View as RSS news feed in XML