Cross Site Scripting Vulnerabilities

  •  01-22-2009, 1:39 PM

    Cross Site Scripting Vulnerabilities

    I used cute editor for php for my web application.  I ran a security scan for cross site scripting vulnerability on my application.
    It came back that the CuteEditor  (CuteEditor/CuteEditor_Files/Themes/Office2007/style.php) had 17 vulnerabilities.

    Vulnerability description
    This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

    Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.
    This vulnerability affects /webcommon/CuteEditor/CuteEditor_Files/Themes/Office2007/style.php.
     
    The impact of this vulnerability
    Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.
     
    Attack details
    The GET variable EditorID has been set to <iframe/+/onload=alert(401715976428)></iframe>.
    The GET variable EditorID has been set to <script>alert(401285976410)</script>.
    The GET variable EditorID has been set to <ScRiPt%20%0a%0d>alert(401295976410)%3B</ScRiPt>.
    The GET variable EditorID has been set to %3C/xss/*-*/style=xss:e/**/xpression(alert(401685976427))%3E.
     
     
    Any response to this problem is greatly appreciated.
     

View Complete Thread