PHPClassifieds General posting classified ads cross-site scripting

phpclassifieds-postingad-xss (27454) The risk level is classified as MediumMedium Risk

Description:

PHPClassifieds General is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using the 'title', 'url or domain', or 'description' form field when posting a classified ad to execute script in a victim's Web browser within the security context of the hosting Web site, allowing the attacker to steal the victim's cookie-based authentication credentials.


Consequences:

Gain Access

Remedy:

No remedy available as of February 6, 2010.

References:

  • BugTraq Mailing List, Wed Jun 28 2006 - 15:43:04 CDT: PHPClassifieds General.
  • phpclassifieds.info Web site: phpclassifieds.info - The Ultimate Classifieds Software.
  • BID-18713: PHPClassifieds.Info Multiple Input Validation Vulnerabilities
  • BID-18717: PHP/MySQL Classifieds AddAsset1.PHP Multiple HTML Injection Vulnerabilities
  • CVE-2006-3330: Cross-site scripting (XSS) vulnerability in AddAsset1.php in PHP/MySQL Classifieds (PHP Classifieds) allows remote attackers to execute arbitrary SQL commands via the (1) ProductName (Title field), (2) url, and (3) Description parameters, possibly related to issues in add1.php.
  • SA20880: PHP/MySQL Classifieds Script AddAsset1.php Script Insertion
  • SECTRACK ID: 1016407: PHPClassifieds Permits Cross-Site Scripting Attacks and Lets Remote Users Inject SQL Commands
  • VUPEN/ADV-2006-2589: PHP/MySQL Classifieds Script Multiple Parameter Cross Site Scripting Vulnerabilities

Platforms Affected:

  • phpclassifieds.info PHPClassifieds General

Reported:

Jun 28, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page