• IDP Daily Update #1276
  posted: 10/03/08
  
• NSM Daily Update #1276
  posted: 10/03/08
  
• Deep Inspection 5.3r5 and above, 5.4, 6.0 #1276
  posted: 10/03/08
  
• Deep Inspection 5.1, 5.2, 5.3r4 and below #1274
  posted: 10/03/08
  
• Deep Inspection 5.0 #1132
  posted: 04/01/08
  
• Antivirus
  posted: 10/02/08

Text Size:        

• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Annuaire 1Two Commentaires.PHP Multiple HTML Injection Vulnerabilities

Severity: MODERATE

Description:

Annuaire 1Two is Web forum software implemented in PHP.

Annuaire 1Two is prone to multiple HTML injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in dynamically generated content. Specifically the 'site_id', 'nom', 'email', and 'commentaire' parameters of 'commentaires.php' are not properly sanitized.

Attacker-supplied HTML and script code would be executed in the context of the affected Web site, potentially allowing for theft of cookie-based authentication credentials. An attacker could also exploit this issue to control how the site is rendered to the user; other attacks are also possible.

Affected Products:

• 1two.org Annuaire 1Two 1.0.0
• 1two.org Annuaire 1Two 1.1.0

References:

• hackisknowledge: *Annuaire 1Two v1.0*
• 1two.org: 1Two Scripts