Disclosure: ARIA (Accounting Receiving and Inventory Administration) genmessage.php Message Field XSS

[This was originally published on OSVDB, now gone. VulnDB ID 24255]

From: security curmudgeon
To: jflechtner[at]users.sourceforge.net
Date: Tue, 28 Mar 2006 11:25:02 -0500 (EST)
Subject: ARIA security issue

Hey Josh,

Not sure if you are still maintaining this project, but while playing with the demo I noticed a small security issue. The genmessage.php script doesn’t sanitize user input submitted to the Message Field (message variable) allowing for cross-site scripting (XSS) attacks. I didn’t test the other scripts so this may occur in other scripts.



Leave a Reply

%d bloggers like this: