VHCS HTTP error cross-site scripting
| vhcs-http-error-xss (23209) |  Medium Risk |
Description:
Virtual Hosting Control System (VHCS) is vulnerable to cross-site scripting. A remote attacker could embed malicious script in a URL request to the index.php script using unspecified parameters, which once the link is clicked, would return an HTTP error message and allow the code to be executed in the victim's Web browser within the security context of the hosting site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
Consequences:
Gain Access
Remedy:
Upgrade to the latest version of VHCS (2.4.7 or later), available from the VHCS Web site. See References.
References:
- Full-Disclosure Mailing List, Tue Nov 22 2005 - 15:31:12 CST: VHCS 2.x HTTP Error Cross Site Scripting.
- VHCS Web site: VHCS - Downloads.
- BID-15538: Virtual Hosting Control System Error Message Cross-Site Scripting Vulnerability
- CVE-2005-3902: Cross-site scripting (XSS) vulnerability in gui/errordocs/index.php in Virtual Hosting Control System (VHCS) 2.2.0 through 2.4.6.2 allows remote attackers to inject arbitrary web script or HTML via query strings that are included in an error message, as demonstrated using a parameter containing script.
- OSVDB ID: 21060: VHCS Error Page (vhcs/gui/errordocs/index.php) XSS
- SA17704: VHCS Multiple Vulnerabilities
Platforms Affected:
- VHCS VHCS 2.2.0 - 2.4.6.2
Reported:
Nov 22, 2005
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net