Info

Disclosure

Jun 17, 2007

Discovery

Unknown

Dates

Exploit

Jun 17, 2007

Solution

Unknown

Description

Utopia News Pro contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the password variable upon submission to the login.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
OSVDB: Web Related

Solution

Upgrade to version 1.4.0 (Released post June 22 2007) or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Utopia Software

Utopia News Pro

1.4.0

References

CVE ID: 2007-3129 (see also: NVD)
Bugtraq ID: 24506
Secunia Advisory ID: 25702
Related OSVDB ID: 34165
ISS X-Force ID: 34902
VUPEN Advisory: ADV-2007-2236
Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2007-06/0370.html
http://www.securityfocus.com/archive/1/archive/1/471626/100/0/threaded
Other Advisory URL: http://www.netvigilance.com/advisory0034

Credit

Jesper Jurcenoks - jesper.jurcenoksnetvigilance.com - netVigilance, Inc.

Direct URL: http://osvdb.org/34165