by r0t,der4444,cembo,VietMafia

Thursday, December 22, 2005

WAXTRAPP XSS vuln.

WAXTRAPP XSS vuln.

Vuln. discovered by : r0t
Date: 22 dec. 2005
vendor:http://www.waxtrapp.com
affected version:3.0.x already tested on 3.0.1 and previous versions.

Product Description:

WAXTRAPP is a development platform for fully personalized content distribution, content management, enterprise information portals and online information systems. WAXTRAPP is active since 1997 as a leading innovator in the internet software industry. With customers like TV networks, industry, e-government and healthcare WAXTRAPP has proven to be the most scalable and flexible system around and easily integrates with a wide range of external systems. The number one reason people choose WAXTRAPP is because it brings together inter- intra- extranet functionality with fully personalized portal functionality, where otherwise such projects would require the purchase of many different software products and expensive IT-projects to let them work together. This enables mid-sized companies to implement cost-saving solutions otherwise only affordable for multinationals.

Vuln. Description:

WAXTRAPP contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to search module paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.


Solution:
Edit the source code to ensure that input is properly sanitised.

1 Comments:

Anonymous Anonymous told...

Are you tired of getting nice compliments on your blog, when really you're not makeng the kind of money that you deserve? Now you can join a completely FREE program. No buying and No selling. FREE to join. All you do is refer customers. To get started fast, click here: financial freedom site. It pretty much covers financial freedom related stuff and it's FREE to join.

11:37 AM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew