← Advisories

XAMPP 1.7.7 Multiple URI Based Cross-Site Scripting Vulnerabilities

Medium

Advisory ID

ZSL-2011-5054

Release Date

07 November 2011

Vendor

Apache Friends - http://www.apachefriends.org

Affected Version

1.7.7 (Windows)

CVE

N/A

Tested On

Microsoft Windows XP Professional SP3 (EN)

Summary

XAMPP is an easy to install Apache distribution containing MySQL, PHP and Perl.

Description

XAMPP suffers from multiple XSS issues in several scripts that use the 'PHP_SELF' variable. The vulnerabilities can be triggered in the 'xamppsecurity.php', 'cds.php' and 'perlinfo.pl' because there isn't any filtering to the mentioned variable in the affected scripts. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user's browser session.

Proof of Concept

xampp_xss.txtTXT

Disclosure Timeline

N/A

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]http://packetstormsecurity.org/files/106685

[2]http://www.securityfocus.com/bid/50564

[3]http://securityreason.com/wlb_show/WLB-2011110029

[4]http://xforce.iss.net/xforce/xfdb/71168

Changelog

07.11.2011Initial release

09.11.2011Added reference [3] and [4]