Status:

Not yet addressed

Synopsis:

The remote web server is prone to cross-site scripting attacks.

Description:

The remote web server hosts one or more cgi scripts that fail to

adequately sanitize request strings with malicious JavaScript. By

leveraging this issue, an attacker may be able to cause arbitrary HTML

and script code to be executed in a user's browser within the security

context of the affected site. These XSS vulnerabilities are likely to

be 'non-persistent' or 'reflected'.

See Also:

http://en.wikipedia.org/wiki/Cross_site_scripting#Non-persistent

http://www.Site Scanner.org/u?9717ad85

http://projects.webappsec.org/Cross-Site+Scripting

Risk Factor:

Medium / CVSS Base Score : 4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

Solution:

Restrict access to the vulnerable application. Contact the vendor

for a patch or upgrade.

Output:

Using the POST HTTP method, Site Scanner found that :

+ The following resources may be vulnerable to cross-site scripting (extended patterns) :

+ The 'terms' parameter of the /forum/search.php CGI :

/forum/search.php?&sr=topics&search_id=unreadposts [terms=508 src=http:/

/www.example.com/exploit508.js]

-------- output --------

<br />

<form method="post" action="./search.php?&amp;sr=topics&amp;search_id=un

readposts&terms=508 src=http://www.example.com/exploit508.js">

<table width="100%" cellspacing="1">

------------------------

+ The 'username' parameter of the /forum/ucp.php CGI :

/forum/ucp.php?mode=sendpassword [username=508 src=http://www.example.co

m/exploit508.js]

-------- output --------

<tr>

<td class="row1" width="38%"><b class="genmed"> [...]

<td class="row2"><input type="text" class="post" name="username" size="2

5" value="508 src=http://www.example.com/exploit508.js" /></td>

</tr>

<tr>

------------------------

Other references : CWE:79, CWE:80, CWE:81, CWE:83, CWE:20, CWE:74, CWE:442, CWE:712, CWE:722, CWE:725, CWE:811, CWE:751, CWE:801, CWE:116, CWE:692, CWE:86