Info

Disclosure

Oct 13, 2005

Discovery

Sep 28, 2005

Dates

Exploit

Oct 13, 2005

Solution

Unknown

Description

YaPiG contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate JavaScript when adding an image-related comment to the 'homepage' form field. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

Location: Remote/Network Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Available
OSVDB: Web Related

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

NaTaSaB	YaPiG	0.95b
		0.94u

References

Bugtraq ID: 15092 15095
Secunia Advisory ID: 17041
Related OSVDB ID: 19959 19960
CVE ID: 2005-4799 (see also: NVD)
ISS X-Force ID: 22750 22752
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-10/0161.html
Other Advisory URL: http://www.seclab.tuwien.ac.at/advisories/TUVSA-0510-001.txt
Vendor URL: http://yapig.sourceforge.net
Keyword: TUVSA-0510-001

Credit

Nenad Jovanovic - enjiinfosys.tuwien.ac.at - Secure Systems Lab, Technical University of Vienna

Direct URL: http://osvdb.org/36218

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

NaTaSaB

YaPiG

References

Credit