by r0t,der4444,cembo,VietMafia

Sunday, December 18, 2005

Lutece XSS vuln.

Lutece XSS vuln.

Vuln. discovered by : r0t
Date: 18 dec. 2005
vendor:http://lutece.paris.fr
affected version:1.2.3 and prior

Product Description:

Lutece is a web portal engine that lets you quickly create internet or intranet dynamic sites based on HTML, XML or database contents. This Open Source software is written in Java and mainly based on Apache Software Foundation (Jakarta and XML projects). Lutece runs as well under Linux or Windows platforms. The default database is MySQL. Lutece provides a very simple administration interface that can be used directly by end users without any technical skills. Lutece is free software, distributed under a BSD like license.

Vuln. Description:

Lutece contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


Solution:
Edit the source code to ensure that input is properly sanitised.

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew