Vulnerability Note VU#664422

PhpWebSite contains multiple cross-site scripting vulnerabilities

Original Release date: 19 Oct 2004 | Last revised: 19 Oct 2004

Overview

PhpWebSite contains multiple cross-site scripting vulnerabilities that may allow an attacker to execute arbitrary code on users' web browser.

Description

PhpWebSite is an open-source web content management system. Certain PhpWebSite modules fail to properly filter URLs for malicious content. This may allow scripting code to be inserted into a URL and then executed within the users' web browser. The following PhpWebSite modules contain this vulnerability:

  • Calendar
  • Fatcat
  • Pagemaster
  • Site Search
  • Comments

In addition, error pages generated by PhpWebSite are reported to be vulnerable.

Impact

An attacker may be able to execute arbitrary code in a guest or logged-in users' web browser with the privileges of that user.

Solution

Apply a Patch


PhpWebsite has released a patch to address this issue available at: http://www.phpwebsite.appstate.edu/downloads/security/phpwebsite-core-security-patch.tar.gz.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Appalachian State UniversityAffected-19 Oct 2004
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was publicly reported by GulfTech Security.

This document was written by Jeff Gennari.

Other Information

  • CVE IDs: CAN-2003-0736
  • Date Public: 31 Aug 2004
  • Date First Published: 19 Oct 2004
  • Date Last Updated: 19 Oct 2004
  • Severity Metric: 0.60
  • Document Revision: 128

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.