Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Ahmet Sabri ALPER (s_alperhotmail.com)
Date: Thu Jun 06 2002 - 09:09:44 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) +/--------\-------- ALPER Research Labs ------/--------/+
    +/---------\------- Security Advisory -----/---------/+
    +/----------\------ ID: ARL02-A12 ----/----------/+
    +/-----------\----- salperolympos.org ---/-----------/+

    Advisory Information
    Name : php(Reactor) Cross Site Scripting Vulnerability
    Software Package : php(Reactor)
    Vendor Homepage : http://phpreactor.org/
    Vulnerable Versions: v1.2.7 and older
    Platforms : OS Independent, PHP
    Vulnerability Type : Input Validation Error
    Vendor Contacted : 15/05/2002
    Vendor Replied : 15/05/2002
    Prior Problems : N/A
    Current Version : v1.2.7pl1 (immune)

    php(Reactor) is a set of integrated applications
    focusing on user interaction. Included are articles,
    content management, bbs/forums, polls, ecards, and
    chat events. Administration is quick and easy with
    a browser-based control panel.

    A Cross Site Scripting vulnerability exists in
    php(Reactor). This would allow a remote attacker
    to send information to victims from untrusted web
    servers, and make it look as if the information
    came from the legitimate server.

    The "browse.php", in the "comments" section does not
    filter user input for $go variable. So any user may
    craft a malicious link, and can gain information about
    users, and even may get the login information of the

    Here's the proof-of-concept link example;

    Note that, the $fid and $tid variables should be integers.

    The vendor replied quickly, and has released a new version
    on 28/05/2002, which can be downloaded at

    Discovered on 15, May, 2002 by
    Ahmet Sabri ALPER <salperolympos.org>
    ALPER Research Labs.

    Product Web Page: http://www.phpreactor.org/