You are here: start » security » glfusion-2009-02-09
Table of Contents

"username" Script Insertion Vulnerability

Critical: Highly critical

Impact: Cross Site Scripting

Where: Remote

Solution Status: Vendor Patch

Description

A vulnerability has been reported in glFusion, which can be exploited by malicious people to conduct script insertion attacks.

Input passed via the “username” parameter to lib-comment.php is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in the context of an affected site when the malicious comment is viewed.

Successful exploitation of this vulnerability requires that anonymous comments are enabled.

This vulnerability is reported in version 1.1.1. Other versions may also be affected.

Solution

Apply security update.

http://www.glfusion.org/article.php/xsscomments

This vulnerability has been fixed in glFusion v1.1.2 and later versions

Provided and/or discovered by

Bjarne Mathiesen Schacht

CVE reference

CVE-2009-0455

security/glfusion-2009-02-09.txt · Last modified: 2010/02/02 02:12 (external edit)
 
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3