TUCoPS :: HP Unsorted C :: tb10364.htm

chcounter 3.1.3 cross site scripting
CVE-2007-1871: Cross site scripting in chcounter 3.1.3
CVE-2007-1871: Cross site scripting in chcounter 3.1.3



--nextPart1761431.GIqyFCeIQQ
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Cross site scripting in chcounter 3.1.3

security advisory

References:
http://chcounter.org/ 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1871 

Description:
 Cross site scripting describes attacks that allow to insert malicious
 html or javascript code via get or post forms. This can be used to steal
 session cookies.
 chcounter is some free software php script for website statistics. The
 login form on the start page can be used to insert javascript code.

Workaround/Fix:
 There's no vendor fix.
 Vendor has been contacted 2007-03-11 and has not answered yet.

Sample Code:
action=http://chcounterinstallation/stats/>
CVE Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-1871 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. Credits and copyright: This vulnerability was discovered by Hanno Boeck of schokokeks.org webhosting. It's licensed creative commons attribution: http://creativecommons.org/licenses/by/3.0/ Hanno Boeck, 2007-04-12, www.hboeck.de --nextPart1761431.GIqyFCeIQQ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (GNU/Linux) iD8DBQBGHXJTr2QksT29OyARAjMLAJ45fXiqD+ZEBDN7qCSXn3PfR9FxzQCfSLHF xIhN06feVry7ykUEMMbJcG4=KAYc -----END PGP SIGNATURE----- --nextPart1761431.GIqyFCeIQQ--

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH