[MajorSecurity Advisory #52]ActualAnalyzer family - Cross Site Scripting Issues Details ======= Product: Actual Analyzer Security-Risk: moderated Remote-Exploit: yes Vendor-URL: http://www.actualscripts.com Vendor-Status: informed Advisory-Status: published Credits ============ Discovered by: David Vieira-Kurz http://www.majorsecurity.de Affected Products: ---------------------------- ActualAnalyzer Server 8.37 and prior ActualAnalyzer Gold 7.74 and prior ActualAnalyzer Pro 6.95 and prior Actual Analyzer Lite 2.78 and prior Original Advisory: ============ http://www.majorsecurity.de/index_2.php?major_rls=major_rls52 Introduction ============ ActualAnalyzer is a powerful statistics-gathering and analysis tool for monitoring web site traffic. It is equally effective for sites with low and high volumes of traffic and provides a wealth of comparative and analytical information. More Details ============ Cross Site Scripting: Input passed directly to the "language" parameter in "view.php" is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. PoC: ============= /view.php?&language=>"> Solution ============= Edit the source code to ensure that input is properly sanitised. You should work with "htmlspecialchars()" or "htmlentities()" php-function to ensure that html tags and javascript code are not going to be executed. Example: History/Timeline ================ 05.05.2008 discovery of the vulnerabilities 05.05.2008 additional tests with other versions 07.05.2008 contacted the vendor 12.05.2008 advisory is written 13.05.2008 advisory released MajorSecurity ================ MajorSecurity is a German pentest and security research project which focuses on web application security. You can find more Information on the MajorSecurity Project at http://www.majorsecurity.de/pentest.php