RADactive I-Load contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate multiple unspecified parameters (parameters that begin with two underscores "__") upon submission to the 'WebcodeModule.ashx' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Upgrade to version 2008.2.5.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• CVE ID: 2009-3450 (see also: NVD)
• Secunia Advisory ID: 23807
• ISS X-Force ID: 53348
• Related OSVDB ID: 58194 58196 58197
• Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2009-09/0160.html
• Vendor URL: http://i-load.radactive.com/
• Vendor Specific Advisory URL: http://radnet.radactive.com/forum/Default.aspx?g=posts&t=339
• Other Advisory URL: https://www.sec-consult.com/files/20090917-0_RADactive_I-Load_Multiple_Vulnerabilities.txt

• Stefan Streichsbier - researchsec-consult.com - SEC Consult