DCP-Portal user_update.php cross-site scripting

dcpportal-userupdate-css (8197)

Medium Risk

Description:

DCP-Portal is vulnerable to cross-site scripting. A remote attacker with a valid account could use the user_update.php script to embed malicious script within HTML tags in the (Job) field, which would be executed in the victim's Web browser once the attacker's profile page is viewed.

Platforms Affected:

• DCP-Portal, DCP-Portal 3.7
• DCP-Portal, DCP-Portal 4.0 final
• DCP-Portal, DCP-Portal 4.1 final
• DCP-Portal, DCP-Portal 4.2

Remedy:

No remedy available as of November 22, 2008.

Consequences:

Other

References:

• ALPER Research Labs Security Advisory ARL02-A03, DCP-Portal Cross Site Scripting Vulnerability at http://archives.neohapsis.com/archives/bugtraq/2002-02/0164.html.
• DCP-Portal Web site, DCP-Portal.com::DCP-Portal - Welcome at http://www.dcp-portal.com/.
• BID-4112: DCP-Portal User Details Cross-Agent Scripting Vulnerability
• CVE-2002-0281: Cross-site scripting vulnerability in DCP-Portal 4.2 and earlier allows remote attackers to gain privileges of other portal users by providing Javascript in the job information field to user_update.php.

Reported:

Feb 15, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page