ReviewPost PHP Pro contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'report' variables upon submission to the 'reportproduct.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Upgrade to version 2.84 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• Security Tracker: 1012763
• Related OSVDB ID: 12703 12704 12706 12707 12708
• Secunia Advisory ID: 13697
• CVE ID: 2005-0270 (see also: NVD)
• Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-01/0007.html
• Other Advisory URL: http://www.gulftech.org/?node=research&article_id=00062-01022005
• Vendor URL: http://www.reviewpost.com/

• James Bercegay - securitygulftech.org - GulfTech Security Research