SaveWebPortal contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'TABLE_Width', 'L_Visitors', 'SITE_Author', 'count', 'SITE_Logo', 'BANNER_Url', 'L_Sunday', 'L_Monday', 'L_January', 'L_February', 'IMAGES_Url', 'L_Info' and 'L_Help' variables upon submission to the 'header.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

• Security Tracker: 1014748
• Secunia Advisory ID: 16522
• Related OSVDB ID: 18927 18928 18929 18930 18931 18932 18934 18935 18936
• CVE ID: 2005-2688 (see also: NVD)
• Other Advisory URL: http://rgod.altervista.org/save_yourself_from_savewebportal34.html
• Vendor URL: http://www.circeos.it/

• rgod - rgod's Site