OSVDB ID: 74417

Title: AChecker documentation/frame_header.php p Parameter XSS

Info

Disclosure

Aug 06, 2011

Discovery

Aug 01, 2011

Dates

Exploit

Aug 06, 2011

Solution

Nov 15, 2011

Description

AChecker contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'p' parameter upon submission to the documentation/frame_header.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server. Additionally, the program may disclose the software's installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
Solution: Solution Unknown
Exploit: Exploit Public
Disclosure: Uncoordinated Disclosure
OSVDB: Web Related

Solution

The original researcher has reported that a fix was released on 2011-11-15, but no details were provided.

Products

ATutor

AChecker

1.2

References

Credit

Unknown or Incomplete



Direct URL: http://osvdb.org/74417