Computer Security

Security Advisory: [SA21383] CakePHP error.php Cross-Site Scripting Vulnerability
back  news / advisories / forum / software / advertising / search / exploits  forward
[EN] securityvulns.ru
no-pyccku



Related information

  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

  [SA21432] Comet WebFileManager "Language" File Inclusion Vulnerability

  [SA21397] YenerTurk Haber Script "id" SQL Injection Vulnerability

  [SA21379] The Address Book Reloaded Login SQL Injection Vulnerabilities

  [SA21364] The Address Book Login SQL Injection Vulnerabilities

From:SECUNIA <support_(at)_secunia.com>
Date:09.08.2006
Subject:[SA21383] CakePHP error.php Cross-Site Scripting Vulnerability


TITLE:
CakePHP error.php Cross-Site Scripting Vulnerability

SECUNIA ADVISORY ID:
SA21383

VERIFY ADVISORY:
http://secunia.com/advisories/21383/

CRITICAL:
Less critical

IMPACT:
Cross Site Scripting

WHERE:
>From remote

SOFTWARE:
CakePHP 1.x
http://secunia.com/product/11247/

DESCRIPTION:
A vulnerability has been reported in CakePHP, which can be exploited
by malicious people to conduct cross-site scripting attacks.

Input passed via the URL is not properly sanitised before being
returned in an "404 Not Found" error message in cake/libs/error.php.
This can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of an affected site.

The vulnerability has been reported in versions prior to 1.1.7.3363.

SOLUTION:
Update to version 1.1.7.3363 or later.

PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.

ORIGINAL ADVISORY:
http://cakeforge.org/frs/shownotes.php?release_id=124

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod

 
 


Rating@Mail.ru