Embedthis Appweb Web Server 3.2.2-1 (Ejscript) Remote XSS Vulnerability

Title: Embedthis Appweb Web Server 3.2.2-1 (Ejscript) Remote XSS Vulnerability
Advisory ID: ZSL-2010-4985
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 23.12.2010
Summary
Appweb has a multi-threaded, event-driven, core to deliver exceptional throughput, response and outstanding memory utilization. It is compact and will embed using as little as 800K of memory. Appweb is a standards-based embedded HTTP server that has a wealth of features.
Description
Appweb Web Server suffers from a remote reflected Cross-Site Scripting vulnerability when input passed to the Ejscript web framework is not properly sanitized, allowing the attacker to execute arbitrary HTML and script code in a user's browser session and aid in phishing attacks.
Vendor
Embedthis Software LLC - http://www.appwebserver.org
Affected Version
3.2.2-1
Tested On
Microsoft Windows XP Professional SP3 (English)
Vendor Status
[12.10.2010] Vulnerability discovered.
[12.11.2010] Contact with the vendor.
[12.11.2010] Vendor replies asking more details.
[13.11.2010] Sent detailed description of the vulnerability to the vendor.
[15.11.2010] Working with the vendor.
[22.11.2010] Vendor plans a fix in version 3.2.3.
[23.12.2010] Vendor releases patch: http://appwebserver.org/downloads/appweb/download.php
[23.12.2010] Coordinated public advisory released.
PoC
appweb_xss.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
High five to Michael O'Brien
References
[1] http://appwebserver.org/products/appweb/doc/product/changeLog.html#r3.2.3
[2] http://appwebserver.org/forum/viewtopic.php?f=1&t=1894
[3] http://secunia.com/advisories/42739/
[4] http://www.secuobs.com/revue/news/273977.shtml
[5] http://www.securityfocus.com/bid/45568
[6] http://securityreason.com/wlb_show/WLB-2010120116
[7] http://osvdb.org/show/osvdb/70086
[8] http://packetstormsecurity.org/files/97005
Changelog
[23.12.2010] - Initial release
[24.12.2010] - Added reference [3], [4] and [5]
[25.12.2010] - Added reference [6], [7] and [8]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk