by r0t,der4444,cembo,VietMafia

Thursday, December 22, 2005

WAXTRAPP XSS vuln.

WAXTRAPP XSS vuln.

Vuln. discovered by : r0t
Date: 22 dec. 2005
vendor:http://www.waxtrapp.com
affected version:3.0.x already tested on 3.0.1 and previous versions.

Product Description:

WAXTRAPP is a development platform for fully personalized content distribution, content management, enterprise information portals and online information systems. WAXTRAPP is active since 1997 as a leading innovator in the internet software industry. With customers like TV networks, industry, e-government and healthcare WAXTRAPP has proven to be the most scalable and flexible system around and easily integrates with a wide range of external systems. The number one reason people choose WAXTRAPP is because it brings together inter- intra- extranet functionality with fully personalized portal functionality, where otherwise such projects would require the purchase of many different software products and expensive IT-projects to let them work together. This enables mid-sized companies to implement cost-saving solutions otherwise only affordable for multinationals.

Vuln. Description:

WAXTRAPP contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


Solution:
Edit the source code to ensure that input is properly sanitised.

1 Comments:

Blogger Scott A. Edwards told...

Are you tired of getting nice compliments on your blog, when really you're not makeng the kind of money that you deserve? Now you can join a completely FREE program. No buying and No selling. FREE to join. All you do is refer customers. To get started fast, click here: financial freedom site. It pretty much covers financial freedom related stuff and it's FREE to join.

11:37 AM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew