Leadhound contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the the 'login', 'logged', 'offset' or 'date' variables upon submission to the agent_summary.pl script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

• Secunia Advisory ID: 19867
• CVE ID: 2006-2063 (see also: NVD)
• Related OSVDB ID: 25023 25030 25031 25032 25033 25034 25035 25036 25037 25038 25039 25040 25041 25042 25043 25044 25045 25046 25047 25049 25060
• Mail List Post: http://attrition.org/pipermail/vim/2006-April/000728.html
• Other Advisory URL: http://pridels.blogspot.com/2006/04/leadhound-multiple-vuln.html
• Vendor URL: http://www.leadhoundnetwork.com/

• r0t - UNSECURED SYSTEMS