Armorize Technologies Security Advisory

Advisory No:
Armorize-ADV-2006-0005

Status:
Partial

Date:
2006/10/14

Summary:
Armorize-ADV-2006-0005 discloses multiple cross-site scripting vulnerabilities that are found in Gcontact, which is a Web based address book written in Ajax/PHP offering multi-user, multi-contacts (email,phone,icq,msn,...) & multi-address for each person, birthday reminder by email, mailing-list management, Excel export, etc.

Affected Software:
Gcontact 0.6.5

Vulnerability Description:
Cross-Site Scripting

Analysis/Impact:
Allows malicious users to access restricted directories and/or view data outside the normal scope which may lead to information theft and invasion of privacy.

Detection/Exploit(partial):
http://www.example.com/[PATH]/index.php 

Protection/Solution:
1. Escape every questionable URI and HTML script.
2. Remove prohibited user input.

Credit: Security Team at Armorize Technologies, Inc. (security@armorize.com) 


Additional Information:
Link to this Armorize advisory
http://www.armorize.com/advisory.php?Keyword=Armorize-ADV-2006-0005 

Links to all Armorize advisories
http://www.armorize.com/advisory/ 

Links to Armorize vulnerability database
http://www.armorize.com/resources/vulnerability.php 

Armorize Technologies is delivering the world=92s most advanced source code analysis solution for Web application security based on its award-winning and patent-pending verification technologies. Addressing security early in the software development life cycle (SDLC), Armorize CodeSecure? proactively identifies and traces vulnerabilities in Web application source code, effectively hardening websites against today=92s ever growing security threats. CodeSecure?=92s zero-false-positive accuracy, traceback support and Web 2.0-based interface make it the premium Web application security solution. For more information please visit: http://www.armorize.com.