webgrind 1.0 (dataFile) Remote Reflected XSS Vulnerability

Title: webgrind 1.0 (dataFile) Remote Reflected XSS Vulnerability
Advisory ID: ZSL-2012-5073
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 17.02.2012
Summary
Webgrind is an Xdebug profiling web frontend in PHP5.
Description
webgrind suffers from a XSS vulnerability when parsing user input to the 'dataFile' parameter via GET method in the index.php script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.

--------------------------------------------------------------------------------

/index.php:
-----------
24: case 'function_list':
25: $dataFile = get('dataFile');

--------------------------------------------------------------------------------

Vendor
Joakim Nygard and Jacob Oettinger - http://code.google.com/p/webgrind
Affected Version
1.0
Tested On
Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.21
PHP 5.3.9
MySQL 5.5.20
Vendor Status
[13.02.2012] Vulnerability discovered.
[16.02.2012] Vendor notified.
[17.02.2012] Public security advisory released.
[17.02.2012] Vendor states that the issue is fixed in the current version in trunk on GitHub.
PoC
webgrind_xss.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://code.google.com/p/webgrind/issues/detail?id=65
[2] https://github.com/jokkedk/webgrind
[3] http://packetstormsecurity.org/files/109922/Webgrind-1.0-Cross-Site-Scripting.html
[4] http://cxsecurity.com/issue/WLB-2012020152
[5] http://www.securityfocus.com/bid/52068
[6] http://xforce.iss.net/xforce/xfdb/73337
Changelog
[17.02.2012] - Initial release
[18.02.2012] - Added reference [3], [4] and [5]
[25.02.2012] - Added reference [6]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk