lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1103764055_1126@S2.cableone.net>
Date: Wed, 22 Dec 2004 18:50:51 -0600
From: "GulfTech Security" <security@...ftech.org>
To: <bugtraq@...urityfocus.com>,
	"Secunia Research" <vuln@...unia.com>, "OSVDB" <moderators@...db.org>
Subject: Cross Site Scripting In PsychoStats 2.2.4 Beta && Earlier




##########################################################
# GulfTech Security Research	       December 22nd, 2004
##########################################################
# Vendor  : Jason Morriss
# URL     : http://www.psychostats.com/
# Version : PsychoStats 2.2.4 Beta && Earlier
# Risk    : Cross Site Scripting
##########################################################



Description:
PsychoStats is a statistics generator for games. Currently there is support 
for a handful of Half-Life "MODs" including Counter-Strike, Day of Defeat, 
and Natural Selection. PsychoStats gathers statistics from the log files
that 
game servers create by reading through the logs and then calculating
detailed 
statistics for players, maps, weapons and clans. These detailed statistics 
are  stored in a MySQL database which are then viewed online from your
website 
using  a set of PHP web pages. 




Cross Site Scripting:
Cross site scripting exists in Jason Morriss PsychoStats. This vulnerability

exists due to user supplied input not being checked properly. Below is an
example.

 http://www.example.com/stats/login.php?login=[XSS]

This vulnerability could be used to steal cookie based authentication 
credentials within the scope of the current domain, or render hostile code 
in a victim's browser.




Solution:
The vendor was contacted, responded very promptly and said he will be
addressing the
issue soon and has released an updated version of the software.

http://www.psychostats.com/forums/viewtopic.php?t=11022

You can find directions on how to install the patch at the link listed
above. Users
should upgrade as soon as they can.


Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00057-12222004



Credits:
James Bercegay of the GulfTech Security Research Team

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.296 / Virus Database: 265.6.4 - Release Date: 12/22/2004
 



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ