SaveWebPortal contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'L_InsertCorrectly', 'L_MENUDX_Login', 'L_MENUDX_Username', 'L_MENUDX_Password', 'L_Ok', 'IMAGES_Url', 'L_MENUDX_Registration', 'BANNER_Url', 'L_MENUSX_Newsletter' and 'L_MENUDX_InsertEMail' variables upon submission to the 'menu_dx.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

• Security Tracker: 1014748
• Secunia Advisory ID: 16522
• Related OSVDB ID: 18927 18928 18929 18930 18931 18932 18933 18935 18936
• CVE ID: 2005-2688 (see also: NVD)
• Other Advisory URL: http://rgod.altervista.org/save_yourself_from_savewebportal34.html
• Vendor URL: http://www.circeos.it/

• rgod - rgod's Site