Info

Last Modified

10 months ago

Percent Complete

100%

Disclosure

Sep 08, 2005

Discovery

Unknown

Dates

Exploit

Sep 08, 2005

Solution

Unknown

Description

CJTagBoard contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'date', 'time', 'name', 'ip' and 'agent' variables upon submission to the 'details.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

Location: Remote/Network Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Available
OSVDB: Web Related

Solution

Upgrade to version 3.0 (2006-07-18) or higher, as it has been reported to fix this vulnerability. Note that this flaw was fixed in the July 18, 2006 release without a change in version number. An upgrade is required as there are no known workarounds.

Products

CJ Website Design

CJTagBoard

3.0

References

Secunia Advisory ID: 16966
Related OSVDB ID: 19495 19496 19497 19498
CVE ID: 2005-2899 (see also: NVD)
ISS X-Force ID: 22424
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-09/0105.html
Vendor URL: http://www.cj-design.com/

Manual Testing Notes

Credit

Psymera - psymerahotmail.com -

Blogs

Provided by Technorati

None found at this time

Comments

Add Comment Hide Add Comment

Anonymous - Wed Jul 19 20:05:37 -0500 2006

As a Moderator on the CJ Design Support Forums, I would just like to inform you that a fix the to CJ Tagboard has been posted at http://www.cjdesign.com/forum/viewtopic.phpt=117, and in time it should be filtered into the Zip files as soon as possible. Would it be possible to include this information on the vulnerability page to reflect this.

DONATE NOW!

User Status

Account
- Login
- Sign-Up

Quick Searches