[VIM] Phpauction GPL security vulnerability question
security curmudgeon
jericho at attrition.org
Mon Jul 18 02:57:25 EDT 2005
Hello,
On July 08, 2005, a security researched named Diabolic Crab posted a
security advisory related to the Phpauction GPL product. You can find the
full advisory and various vulnerability database entries at the following:
http://digitalparadox.org/viewadvisories.ah?view=41
http://securitytracker.com/id?1014423
http://www.secunia.com/advisories/15967/
Based on the original report, it appears that some of these issues may not
be accurate. The main two that stand out from this advisory are:
/login.php?username=<script>alert(document.cookie)</script>
Cross Site Scripting
/viewnews.php?id=<script>alert(document.cookie)</script>
Cross Site Scripting
The login.php appears to be the PHPAUCTION web site client login, and not
necessarily part of the Phpauction software package. The viewnews.php
script appears to be the PHPAUCTION web site news links for clients as
well, and likely not part of the Phpauction package.
Can you confirm these two scripts are not part of the Phpauction software?
Can you also confirm the other vulnerabilities listed in the advisory?
Thank you!
Brian
OSVDB.org
More information about the VIM
mailing list