SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information

Report a Vulnerability

 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#664422

PhpWebSite contains multiple cross-site scripting vulnerabilities

Overview

PhpWebSite contains multiple cross-site scripting vulnerabilities that may allow an attacker to execute arbitrary code on users' web browser.

I. Description

PhpWebSite is an open-source web content management system. Certain PhpWebSite modules fail to properly filter URLs for malicious content. This may allow scripting code to be inserted into a URL and then executed within the users' web browser. The following PhpWebSite modules contain this vulnerability:
  • Calendar
  • Fatcat
  • Pagemaster
  • Site Search
  • Comments

In addition, error pages generated by PhpWebSite are reported to be vulnerable.

II. Impact

An attacker may be able to execute arbitrary code in a guest or logged-in users' web browser with the privileges of that user.

III. Solution

Apply a Patch


PhpWebsite has released a patch to address this issue available at: http://www.phpwebsite.appstate.edu/downloads/security/phpwebsite-core-security-patch.tar.gz.

Systems Affected

VendorStatusDate NotifiedDate Updated
Appalachian State UniversityVulnerable19-Oct-2004

References

http://www.gulftech.org/?node=research&article_id=00048-08312004
http://www.securitytracker.com/alerts/2004/Aug/1011120.html
http://www.securityfocus.com/archive/1/332561
http://marc.theaimsgroup.com/?l=bugtraq&m=106062021711496&w=2
http://www.osvdb.org/displayvuln.php?osvdb_id=9445
http://www.osvdb.org/displayvuln.php?osvdb_id=3842
http://www.osvdb.org/displayvuln.php?osvdb_id=3846
http://www.osvdb.org/displayvuln.php?osvdb_id=3845
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0736
http://www.phpwebsite.appstate.edu/index.php?module=announce&ANN_user_op=view&ANN_id=822

Credit

This vulnerability was publicly reported by GulfTech Security.

This document was written by Jeff Gennari.

Other Information

Date Public:2004-08-31
Date First Published:2004-10-19
Date Last Updated:2004-10-19
CERT Advisory: 
CVE-ID(s):CAN-2003-0736
NVD-ID(s):CAN-2003-0736
US-CERT Technical Alerts: 
Severity Metric:0.60
Document Revision:128

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2004 Carnegie Mellon University
Disclaimers and copyright information
Get a PDF Reader