← Advisories

WampServer 2.0i (index.php) Remote Cross Site Scripting Vulnerability

Low
Advisory ID
ZSL-2010-4926
Release Date
22 February 2010
Vendor
Romain Bourdon (Roms) - http://www.wampserver.com
Affected Version
2.0i
CVE
CVE-2010-0700
Tested On
Microsoft Windows XP Professional SP3 (English)
Summary

WampServer - Apache, PHP, MySQL on Windows.

Description

WampServer is susceptible to cross-site scripting vulnerability. This issue is due to the application's failure to properly sanitize user-supplied input. An attacker may leverage any of the cross-site scripting issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials, phishing as well as other attacks.

Proof of Concept
wamp_xss.txtTXT
Disclosure Timeline
N/A
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://secunia.com/advisories/38706
[2]http://securityreason.com/exploitalert/7841
[3]http://www.securityfocus.com/bid/38357
[4]http://www.packetstormsecurity.org/filedesc/wamp-xss.txt.html
[5]http://osvdb.org/62481
[6]http://www.security-database.com/detail.php?alert=CVE-2010-0700
[7]http://olex.openlogic.com/wazi/2010/wampserver-2-0i-medium/
[8]http://en.securitylab.ru/nvd/391082.php
[9]http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0700
[10]http://securityreason.com/securityalert/7052
[11]http://xforce.iss.net/xforce/xfdb/56417
[12]http://www.net-security.org/vuln.php?id=11244
[13]http://www.us-cert.gov/cas/bulletins/SB10-060.html
[14]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0700
Changelog
22.02.2010Initial release
22.02.2010Added reference [1] and [2]
23.02.2010Added reference [3], [4] and [5]
26.02.2010Added reference [6], [7], [8] and [9]
28.02.2010Added reference [10]
03.03.2010Added reference [11], [12] and [13]
25.10.2021Added reference [14]