Santafox Cross-Site Scripting And Cross-Site Request Forgery Vulnerabilities Network Vulnerability

Summary

The host is running Santafox and is prone to Cross-Site Scripting and Cross-Site Request Forgery vulnerabilities.

Impact

Successful exploitation will allow attackers to execute arbitrary web script or HTML in a user's browser session in the context of an affected site. Impact Level: Application

Solution

Upgrade to SantaFox version 3.01, for updates refer to http://www.santafox.ru/download.html

Insight

The flaws are caused by, - improper validation of user-supplied input passed via the 'search' parameter to search.html, that allows attackers to execute arbitrary HTML and script code on the web server. - Cross-site request forgery vulnerability in admin/manager_users.class.php, allows remote attackers to hijack the authentication of administrators.

Affected

SantaFox 2.02 and prior.

References

http://packetstormsecurity.org/1009-exploits/santafox-xssxsrf.txt
http://secunia.com/advisories/41465
http://www.securityfocus.com/archive/1/archive/1/513737/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/513738/100/0/threaded

Updated on 2015-03-25

Severity

Classification

CVE CVE-2010-3463, CVE-2010-3464

CVSS	Base Score: 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Adiscon LogAnalyzer 'highlight' Parameter Cross Site Scripting Vulnerability
Apache Struts2 showcase namespace XSS Vulnerability
Apache Tomcat 'sendfile' Request Attributes Information Disclosure Vulnerability
Aker Secure Mail Gateway Cross-Site Scripting Vulnerability
Ampache Reflected Cross Site Scripting Vulnerability

Santafox Cross-Site Scripting and Cross-Site Request Forgery Vulnerabilities

Take action and discover your vulnerabilities