Security Advisory: RedLevel Advisory #017 - PsychoStats v3.0.6b Multiple Cross-Site Scripting Vulnerabilities

[EN] securityvulns.ru
no-pyccku

Related information
  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
  [SECURITY] [DSA 1297-1] New gforge-plugin-scmcvs packages fix arbitrary shell command execution
  WIYS v1.0 Cross-Site Scripting Vulnerability - (05.24.2007) (NEW)
  [waraxe-2007-SA#051] - Sql Injection in 2z Project 0.9.5
  ABC Excel Parser Pro v4.0 Remote File Include Exploit

From: john_(at)_martinelli.com <john_(at)_martinelli.com>
Date: 25.05.2007
Subject: RedLevel Advisory #017 - PsychoStats v3.0.6b Multiple Cross-Site Scripting Vulnerabilities

PsychoStats v3.0.6b Multiple Cross-Site Scripting Vulnerabilities

PsychoStats contains multiple cross-site scripting vulnerabilities that may be exploited through the URI.

Vulnerable Files: awards.php, login.php, register.php, weapons.php - other files may also be susceptible to this vulnerability.
Vulnerability: http://target.com/psychostats/weapons.php/>"><script>alert(1
)</script>
Vulnerable: PsychoStats v3.0.6b (other versions may also be vulnerable)
Google d0rk: "Powered by PsychoStats v3.0.6b"

John Martinelli
john@martinelli.com

RedLevel Security
RedLevel.org

May 19th, 2007