Info

Disclosure

Mar 27, 2006

Discovery

Unknown

Dates

Exploit

Mar 27, 2006

Solution

Dec 09, 2007

Description

phpmyfamily contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'name' variable upon submission to the 'track.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Upgrade
Exploit: Exploit Public
Disclosure: Vendor Verified
OSVDB: Web Related

Solution

Upgrade to version 1.4.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Simon E Booth

phpmyfamily

1.4.1

References

Bugtraq ID: 17278
Secunia Advisory ID: 19409
CVE ID: 2006-1425 (see also: NVD)
Related OSVDB ID: 24167
VUPEN Advisory: ADV-2006-1130
Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-03/1630.html
Vendor Specific News/Changelog Entry: http://sourceforge.net/project/shownotes.php?release_id=560275&group_id=110402
http://sourceforge.net/tracker/index.php?func=detail&aid=1846950&group_id=110402&atid=656153
Other Advisory URL: http://www.h4cky0u.org/advisories/HYSA-2006-007-phpmyfamily.txt [ Link is 404 ]
Vendor URL: http://www.phpmyfamily.net/

Credit

matrix_killer - matrix_kabv.bg -

Direct URL: http://osvdb.org/24166