XAMPP 1.7.7 Cross Site Scripting

2011-11-08 / 2011-11-09

Credit: Gjoko 'LiquidWorm' Krstic

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

XAMPP 1.7.7 Multiple URI Based Cross-Site Scripting Vulnerabilities
Vendor: Apache Friends
Product web page: http://www.apachefriends.org
Affected version: 1.7.7 (Windows)
Summary: XAMPP is an easy to install Apache distribution containing
MySQL, PHP and Perl.
Desc: XAMPP suffers from multiple XSS issues in several scripts that
use the 'PHP_SELF' variable. The vulnerabilities can be triggered in
the 'xamppsecurity.php', 'cds.php' and 'perlinfo.pl' because there
isn't any filtering to the mentioned variable in the affected scripts.
Attackers can exploit these weaknesses to execute arbitrary HTML and
script code in a user's browser session.
Tested on: Microsoft Windows XP Professional SP3 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Advisory ID: ZSL-2011-5054
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5054.php
06.11.2011
--
http://localhost/security/xamppsecurity.php/"><script>alert(1)</script>
http://localhost/xampp/perlinfo.pl/"><script>alert(1)</script>
http://localhost/xampp/cds.php/"><script>alert(1)</script>

References:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5054.php

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

XAMPP 1.7.7 Cross Site Scripting

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.