Jax PHP Scripts Multiple Cross-Site Scripting Vulnerabilities

No exploit is required.

The following proof of concept URI are available:
http://www.example.com/guestbook/jax_guestbook.php?page=2&language=english&guestbook_id=0&gmt_ofs=0[XSS-CODE]
http://www.example.com/guestbook/jax_guestbook.php?page=2&language=english[XSS-CODE]&guestbook_id=0&gmt_ofs=0
http://www.example.com/guestbook/jax_guestbook.php?page=2[XSS-CODE]&language=english&guestbook_id=0&gmt_ofs=0
http://www.example.com/guestbook/jax_guestbook.php?mailto=9aa43a5efc2585681c97993d777bcd41&language=english[XSS-CODE]
http://www.example.com/petitionbook/shrimp_petition.php?page=3&language=English&guestbook_id=0&gmt_ofs=0[XSS-CODE]
http://www.example.com/petitionbook/shrimp_petition.php?page=3&language=English[XSS-CODE]&guestbook_id=0&gmt_ofs=0
http://www.example.com/petitionbook/shrimp_petition.php?page=3[XSS-CODE]&language=English&guestbook_id=0&gmt_ofs=0
http://www.example.com/newsletter/jax_newsletter.php?language=German[XSS-CODE]&ml_id=1
http://www.example.com/newsletter/sign_in.php?do=sign_in&language=german[XSS-CODE]&ml_id=1&ml_id=1
http://www.example.com/newsletter/archive.php?language=spanish[XSS-CODE]
http://www.example.com/linklists/jax_linklists.php?language=English[XSS-CODE]
http://www.example.com/linklists/jax_linklists.php?do=list&list_id=0&language=english&cat=Religion[XSS-CODE]
http://www.example.com/calendar/jax_calendar.php?Y=2005[XSS-CODE]&m=8&d=2&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_id=0&language=spanish&gmt_ofs=0&view=d30&evt_date=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_title=Karlsruhe+-+Ausstellung%3A+K%F6rper+im+elektromagnetischen+Feld
http://www.example.com/calendar/jax_calendar.php?Y=2005&m=8[XSS-CODE]&d=2&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_id=0&language=spanish&gmt_ofs=0&view=d30&evt_date=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_title=Karlsruhe+-+Ausstellung%3A+K%F6rper+im+elektromagnetischen+Feld
http://www.example.com/calendar/jax_calendar.php?Y=2005&m=8&d=2[XSS-CODE]&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_id=0&language=spanish&gmt_ofs=0&view=d30&evt_date=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_title=Karlsruhe+-+Ausstellung%3A+KF6rper+im+elektromagnetischen+Feld
http://www.example.com/calendar/jax_calendar.php?Y=2005&m=8&d=2&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_id=0[XSS-CODE]&language=spanish&gmt_ofs=0&view=d30&evt_date=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_title=Karlsruhe+-+Ausstellung%3A+KF6rper+im+elektromagnetischen+Feld
http://www.example.com/calendar/jax_calendar.php?Y=2005&m=8&d=2&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_id=0&language=spanish[XSS-CODE]&gmt_ofs=0&view=d30&evt_date=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_title=Karlsruhe+-+Ausstellung%3A+K%F6rper+im+elektromagnetischen+Feld
http://www.example.com/calendar/jax_calendar.php?Y=2005&m=8&d=2&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_id=0&language=spanish&gmt_ofs=0[XSS-CODE]&view=d30&evt_date=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_title=Karlsruhe+-+Ausstellung%3A+K%F6rper+im+elektromagnetischen+Feld
http://www.example.com/calendar/jax_calendar.php?Y=2005&m=8&d=2&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_id=0&language=spanish&gmt_ofs=0&view=d30[XSS-CODE]&evt_date=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_title=Karlsruhe+-+Ausstellung%3A+K%F6rper+im+elektromagnetischen+Feld
http://www.example.com/calendar/jax_calendar.php?Y=2005&m=8&d=2&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_id=0&language=spanish&gmt_ofs=0&view=d30&evt_date=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00[XSS-CODE]&evt_title=Karlsruhe+-+Ausstellung%3A+K%F6rper+im+elektromagnetischen+Feld
http://www.example.com/calendar/jax_calendar.php?Y=2005&m=8&d=2&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_id=0&language=spanish&gmt_ofs=0&view=d30&evt_date=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_title=Karlsruhe+-+Ausstellung%3A+K%F6rper+im+elektromagnetischen+Feld[XSS-CODE]
http://www.example.com/dwt_editor/dwt_editor.php?language=english[XSS-CODE]&cur_dir=%2Fscripting%2Fphp%2Fdwteditor%2Fdwt_editor
http://www.example.com/dwt_editor/dwt_editor.php?language=english&cur_dir=[XSS-CODE]%2Fscripting%2Fphp%2Fdwteditor%2Fdwt_editor
http://www.example.com/dwt_editor/dwt_editor.php?do=editarea&cur_dir=%2Fscripting%2Fphp%2Fdwteditor%2Fdwt_editor%2Ffiles%2Fzweit+ebene&file=5db14c3963eff6b87ce20155708fd867&language=german&area=textbereich2[XSS-CODE]


 

Privacy Statement
Copyright 2010, SecurityFocus