← Advisories

Online Grades 3.2.5 Multiple XSS Vulnerabilities

Medium

Advisory ID

ZSL-2011-5029

Release Date

25 July 2011

Vendor

Online Grades Project Team - http://www.onlinegrades.org

Affected Version

3.2.5

CVE

N/A

Tested On

Microsoft Windows XP Professional SP3 (EN), Apache 2.2.14 (Win32), PHP 5.3.1, MySQL 5.1.41

Summary

Online Grades is the leading free-software project that allows K-12+ student grades attendance information to be posted onto a dynamic web site.

Description

Online Grades suffers from multiple cross-site scripting vulns. The issue is triggered when input passed via multiple parameters to the 'admin/admin.php' script is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Proof of Concept

onlinegrades_xss.txtTXT

Disclosure Timeline

N/A

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]http://www.securityfocus.com/bid/48875

[2]http://packetstormsecurity.org/files/103384

[3]http://secunia.com/advisories/35304/

[4]http://securityreason.com/wlb_show/WLB-2011070094

[5]http://xforce.iss.net/xforce/xfdb/68793

Changelog

25.07.2011Initial release

26.07.2011Added reference [1] and [2]

27.07.2011Added reference [3] and [4]

28.07.2011Added reference [5]