docuFORM Mercury WebApp 6.16a/5.20 Multiple Cross-Site Scripting Vulnerabilities

Title: docuFORM Mercury WebApp 6.16a/5.20 Multiple Cross-Site Scripting Vulnerabilities
Advisory ID: ZSL-2011-5010
Type: Remote
Impact: Cross-Site Scripting
Risk: (2/5)
Release Date: 20.04.2011
Summary
Unlimited options for production printing and customer solutions.
Description
The Mercury Web Application suffers from multiple XSS vulnerabilities when parsing user input thru the GET parameter 'this_url' and the POST parameter 'aa_sfunc' in f_state.php, f_list.php, f_job.php and f_header.php scripts. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user's browser session.
Vendor
docuFORM GmbH - http://www.docuform.de
Affected Version
6.16a and 5.20
Tested On
Microsoft Windows XP Professional SP3 (EN)
Mercury HTTP and Database Server 6.16
Vendor Status
[14.04.2011] Vulnerability discovered.
[16.04.2011] Vendor contact.
[19.04.2011] No reply from vendor.
[20.04.2011] Public advisory released.
PoC
mercury_xss.html
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.exploit-db.com/exploits/17192/
[2] http://www.securityfocus.com/bid/47506
[3] http://securityreason.com/exploitalert/10358
[4] http://packetstormsecurity.org/files/100625
[5] http://secunia.com/advisories/44209
[6] http://xforce.iss.net/xforce/xfdb/66986
[7] http://osvdb.org/show/osvdb/72137
[8] http://osvdb.org/show/osvdb/72138
[9] http://osvdb.org/show/osvdb/72139
[10] http://osvdb.org/show/osvdb/72140
Changelog
[20.04.2011] - Initial release
[21.04.2011] - Added reference [3], [4] and [5]
[23.04.2011] - Added reference [6]
[10.05.2011] - Added reference [7], [8], [9] and [10]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk