Vigil@nce: SPIP, Cross Site Scripting of informer_auteur
August 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can generate a Cross Site Scripting in the SPIP
informer_auteur page, in order to execute JavaScript code in the
context of the web browser of visitors.
– Severity: 2/4
– Creation date: 30/07/2010
DESCRIPTION OF THE VULNERABILITY
The SPIP "informer_auteur" page displays information on the author
of a document.
The prive/informer_auteur_fonctions.php file contains the function
informer_auteur(). However, this function does not filter the
"var_login" parameter.
An attacker can therefore generate a Cross Site Scripting in the
SPIP informer_auteur page, in order to execute JavaScript code in
the context of the web browser of visitors.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/SPIP-Cross-Site-Scripting-of-informer-auteur-9798