XAMPP 1.7.7 Multiple URI Based Cross-Site Scripting Vulnerabilities

Title: XAMPP 1.7.7 Multiple URI Based Cross-Site Scripting Vulnerabilities
Advisory ID: ZSL-2011-5054
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 07.11.2011
Summary
XAMPP is an easy to install Apache distribution containing MySQL, PHP and Perl.
Description
XAMPP suffers from multiple XSS issues in several scripts that use the 'PHP_SELF' variable. The vulnerabilities can be triggered in the 'xamppsecurity.php', 'cds.php' and 'perlinfo.pl' because there isn't any filtering to the mentioned variable in the affected scripts. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user's browser session.
Vendor
Apache Friends - http://www.apachefriends.org
Affected Version
1.7.7 (Windows)
Tested On
Microsoft Windows XP Professional SP3 (EN)
Vendor Status
N/A
PoC
xampp_xss.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://packetstormsecurity.org/files/106685
[2] http://www.securityfocus.com/bid/50564
[3] http://securityreason.com/wlb_show/WLB-2011110029
[4] http://xforce.iss.net/xforce/xfdb/71168
Changelog
[07.11.2011] - Initial release
[09.11.2011] - Added reference [3] and [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk