Info

Disclosure

Mar 29, 2006

Discovery

Unknown

Dates

Exploit

Mar 29, 2006

Solution

Unknown

Description

Basic Analysis and Security Engine (BASE) contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate $_SERVER['REQUEST_URI'] variable upon submission to the PrintFreshPage() function. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Upgrade to cvs version or version 1.2.5 (daiga) or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Kevin Johnson	Basic Analysis and Security Engine (BASE)	1.1 (elizabeth)
		1.1.2 (zora)
		1.1.3 (lynn)
		1.1.4 (cheryl)
		1.2.0 (betty)
		1.2.1 (kris)
		1.2.2 (cindy)
		1.2.4 (melissa)
		1.0.1 (michelle)
		1.0.2 (racquel)
		0.9.7 (Initial Release)
		0.9.7.1 (Francis)
		0.9.8 (dhara)
		0.9.9 (brenna)
		1.0 (denise)
		1.2.5 (daiga)

References

Bugtraq ID: 17391
Secunia Advisory ID: 19544
CVE ID: 2006-1590 (see also: NVD)
Related OSVDB ID: 24307
Vendor URL: http://secureideas.sourceforge.net/
Other Advisory URL: http://sourceforge.net/mailarchive/forum.php?thread_id=10064470&forum_id=42223

Credit

Adam Ely - adam.ely780inc.com - 780 Inc.

Direct URL: http://osvdb.org/20835

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Kevin Johnson

Basic Analysis and Security Engine (BASE)

References

Credit