| Summary | HTML INJECT Vulenrability |
| Queue | IMP |
| Queue Version | 4.1 |
| Type | Bug |
| State | No Feedback |
| Priority | 2. Medium |
| Owners | |
| Requester | asamad (at) arpatech (dot) com |
| Created | 03/05/2007 (6715 days ago) |
| Due | |
| Updated | 04/13/2007 (6676 days ago) |
| Assigned | 03/05/2007 (6715 days ago) |
| Resolved | 04/13/2007 (6676 days ago) |
| Github Issue Link | |
| Github Pull Request | |
| Milestone | |
| Patch | No |
provide us with a proof of concept.
but when an
authenticated used would click on a malformed url the html would be
injected in the same
session which could lead to html code inject on the client side.
Abdus Samad
ARPATECH
State ⇒ Feedback
sites provided by the url parameter, which could be abused for
phishing attacks, and we should probably fix this the same way like we
recently did in horde/index.php.
But I can't see how this allow injection. And please always check the
latest version when reporting a security issue.
Priority ⇒ 2. Medium
Type ⇒ Bug
Summary ⇒ HTML INJECT Vulenrability
Queue ⇒ IMP
State ⇒ Unconfirmed
due to a failure in
the application to properly sanitize variable 'url'.
Attacker-supplied HTML and script code would be executed in the
context of the affected
Web site, potentially allowing for theft of cookie-based
authentication credentials. An
attacker could also exploit this issue to control how the site is
rendered to the user;
other attacks are also possible.
This would effect even an unauthenticated user which could be directed
to a malicious web page resulting in information theft or even system
compromise by injecting Trojans.
PROOF OF CONCEPT CODE:
http://<HOST>/index.php?url=<any web.html>
A prompt responce will be highly appreciated.
Thankyou
Abdus Samad
Advanced Research Projects and Technologies