XClose
dadaimc : http://www.dadaimc.org
dadaimc

Security Vulnerabilities

Format for email

XSS Vulnerability

Background

dadaIMC is content management software for the development of an Independent Media Center site.

Description

Versions of dadaIMC up to .99.3 before Auto-Update 2005-10-10 are vulnerable to the inclusion of Javascript code within user input.

Analysis

Exploitation involves a specially-constructed URL that poisons the value of the PHP_SELF variable used to determine the current page name. The poisoned value is appended to the ACTION parameter of a form, and executed when the form is submitted.

Detection

Versions of dt_FunctionLibrary.inc prior to 1.82 are susceptible to this vulnerability.

Workaround

Update your software using the Auto-Update module.

Timeline

Reported 10-Oct-2005
Patched on 10-Oct-2005

Credit

Alster

Report Bugs

dadaIMC uses the Mantis bug-tracking system for bug reporting. Please use it! And check for existing reports of your bug before submitting a new one.

More...

CVS

The current CVS version of dadaIMC is now browseable online. Be forewarned, though, that it is not always in a useable state as-is!

More...

* Donations

Support development!
 

This site made manifest by Manifesto software