Hello list! I want to warn you about Cross-Site Scripting and Remote HTML Include vulnerabilities in PHPXref. ------------------------- Affected products: ------------------------- Vulnerable are PHPXref 0.7 and previous versions. In version PHPXref 0.7.1 the developer fixed these vulnerabilities. ---------- Details: ---------- XSS (RXI) (WASC-08): http://site/nav.html?javascript:alert(document.cookie) RHI (WASC-12): http://site/nav.html?http://websecurity.com.ua ------------ Timeline: ------------ 2010.12.27 - announced at my site. 2010.12.28 - informed developers. 2010.12.29 - PHPXref 0.7.1 released (http://phpxref.sourceforge.net/Changelog). 2011.02.08 - disclosed at my site. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/4795/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua