XAMPP 1.7.7 Multiple URI Based Cross-Site Scripting Vulnerabilities
Vendor: Apache Friends
Product web page: http://www.apachefriends.org
Affected version: 1.7.7 (Windows)
Summary: XAMPP is an easy to install Apache distribution containing
MySQL, PHP and Perl.
Desc: XAMPP suffers from multiple XSS issues in several scripts that
use the 'PHP_SELF' variable. The vulnerabilities can be triggered in
the 'xamppsecurity.php', 'cds.php' and 'perlinfo.pl' because there
isn't any filtering to the mentioned variable in the affected scripts.
Attackers can exploit these weaknesses to execute arbitrary HTML and
script code in a user's browser session.
Tested on: Microsoft Windows XP Professional SP3 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Advisory ID: ZSL-2011-5054
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5054.php
06.11.2011
--
http://localhost/security/xamppsecurity.php/">
http://localhost/xampp/perlinfo.pl/">
http://localhost/xampp/cds.php/">