Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:14693
HistoryOct 14, 2006 - 12:00 a.m.

Multiple XSS Vulnerability in Gcontact

2006-10-1400:00:00
vulners.com
8

Armorize Technologies Security Advisory

Advisory No:
Armorize-ADV-2006-0005

Status:
Partial

Date:
2006/10/14

Summary:
Armorize-ADV-2006-0005 discloses multiple cross-site scripting vulnerabilities that are found in Gcontact, which is a Web based address book written in Ajax/PHP offering multi-user, multi-contacts (email,phone,icq,msn,โ€ฆ) & multi-address for each person, birthday reminder by email, mailing-list management, Excel export, etc.

Affected Software:
Gcontact 0.6.5

Vulnerability Description:
Cross-Site Scripting

Analysis/Impact:
Allows malicious users to access restricted directories and/or view data outside the normal scope which may lead to information theft and invasion of privacy.

Detection/Exploit(partial):
http://www.example.com/[PATH]/index.php

Protection/Solution:

  1. Escape every questionable URI and HTML script.
  2. Remove prohibited user input.

Credit: Security Team at Armorize Technologies, Inc. ([email protected])

Additional Information:
Link to this Armorize advisory
http://www.armorize.com/advisory.php?Keyword=Armorize-ADV-2006-0005

Links to all Armorize advisories
http://www.armorize.com/advisory/

Links to Armorize vulnerability database
http://www.armorize.com/resources/vulnerability.php

Armorize Technologies is delivering the worldโ€™s most advanced source code analysis solution for Web application security based on its award-winning and patent-pending verification technologies. Addressing security early in the software development life cycle (SDLC), Armorize CodeSecure? proactively identifies and traces vulnerabilities in Web application source code, effectively hardening websites against todayโ€™s ever growing security threats. CodeSecure?โ€™s zero-false-positive accuracy, traceback support and Web 2.0-based interface make it the premium Web application security solution. For more information please visit: http://www.armorize.com.