title - Non-persistent XSS in slickMsg

Summary

Vulnerability
title - Non-persistent XSS in slickMsg
Discovered
2010.11.30
Last Update
n/a n/a
ID
EV0159
CVE
n/a
Risk Level
low
Type
Cross Site Scripting
Status
Unpatched. Vendor notified. No reply from developer(s).
Vendor
n/a
Vulnerable Software
slickMsg (http://slickmsg.sourceforge.net/)
Version
0.7-alpha
PoC/Exploit
Available
Solution
Not available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

Cross Site Scripting found in slickMsg (http://slickmsg.sourceforge.net/) script.

Non-persistent XSS
It is possible to inject xss code into title parameter in views/Thread/display/top.php script.

Parameter title is not properly sanitized before being used in HTML code.

Condition: register_globals: on

PoC/Exploit

Non-persistent XSS Example.

XSS example: http://site/slickmsg/views/Thread/display/top.php?title=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E

Solution.

Solution for "title - Non-persistent XSS in slickMsg" is not available. Check vendor's website for updates.

Order Source Code Test

Check a website by source code review of your website or web application made by our team.The work will be done by experts in web application security.

Advisories by vuln type

Website Monitoring

Daily malware scanning. Allows to receive alerts about security problems in your website.
Details >>

Malicious redirects detected?

eVuln team will eliminate the reason, clean your website and monitor it.
Details >>

Website blacklisted?

eVuln team will clean your website, discover and fix security holes, remove from blacklists.
Details >>