Title: TurboTrafficTrader C Multiple Cross-Site Scripting and HTML Injection Vulnerabilities
Severity: MODERATE
Description:
TurboTrafficTrader C is a CGI traffic-trading program for Linux and FreeBSD. It is used to setup link referer trading agreements between webmasters.
It has been reported that TurboTrafficTrader C does not properly sanitize input received from users. It has been conjectured that this may allow a remote user to launch cross-site scripting and HTML injection attacks.
Various user supplied input fields and request headers are reported to not be properly sanitized, which could lead to cross-site scripting attacks. These include 'link', 'REMOTE_ADDR', 'HTTP_X_FORWARDED_FOR', and 'Referer'. Other fields may also be affected.
When signing up as a new webmaster on an affected site, the 'Site Name', 'Site URL', 'Webmaster e-mail', and 'Webmaster ICQ' are possibly also not properly sanitized. These values end up in the database, and could lead to HTML injection attacks.
The cross-site scripting issues could permit a remote attacker to create a malicious link to the vulnerable application that includes hostile HTML and script code. If this link were followed, the hostile code may be rendered in the web browser of the victim user.
The HTML injection issues could allow an attacker to post malicious HTML and script code that would then later be rendered in the web browser of further visitors to the affected site.
These attacks would occur in the security context of the affected web site and may allow for theft of cookie-based authentication credentials. Other attacks are also possible.
Affected Products:
- TurboTrafficTrader TurboTrafficTrader C 1.0.0
References:
- TurboTrafficTrader: Vendor Home Page
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
