Online at: http://int21.de/cve/CVE-2008-0125-phpstats.html Cross Site Scripting (XSS) in phpstats 0.1_alpha, CVE-2008-0125 References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0125 http://www.michael-wagner.de/software/phpstats/ Description phpstats is a tool creating statistic information about a file tree. Note that the name is ambigious, there's more than one tool called phpstats. The application is vulnerable to simple Cross Site Scripting, which can be used to steal authentication information from other webapps if they're installed on the same hostname. Example Assuming phpstats is installed on http://localhost/phpstats/, one can inject JavaScript with: http://localhost/phpstats/phpstats.php?baseDir=<script>alert(1)</script> &mode=run Workaround/Fix Don't use phpstats on a hostname where other web applications are installed. Vendor has not replied and not fixed the issue yet. Disclosure Timeline 2008-02-13 Vendor contacted 2008-03-17 Published advisory CVE Information The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-0125 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. Credits and copyright This vulnerability was discovered by Hanno Boeck of schokokeks.org webhosting. It's licensed under the creative commons attribution license. Hanno Boeck, 2008-03-17, http://www.hboeck.de -- Hanno B??ck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber/Mail: hanno (at) hboeck (dot) de [email concealed] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) iD8DBQBH3vJfr2QksT29OyARAnK1AKCPeStoL7V0H6FmQ4nciGsdkWsCmwCgoAmy WItcGQpg1yVziI98TpyuZ7w= =MKJE -----END PGP SIGNATURE-----