Cross Site Scripting (XSS) in Owl <=0.95, CVE-2008-3100

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3100
http://owl.sourceforge.net/

Description

Owl is a multi user document repository (knowledgebase) system for publishing files/documents onto the web.
The application is vulnerable to simple Cross Site Scripting, which can be used for several isues

Example

Assuming Owl is installed on http://localhost/Owl/, one can inject JavaScript with:

http://localhost/Owl/register.php?myaction=getpasswd&username="><script>alert(1);</script>

Workaround/Fix

Replace your owl.lib.php with the version from owl.cvs.sourceforge.net/*checkout*/owl/owl-0.90/lib/owl.lib.php

Disclosure Timeline

2008-07-27 Vendor contacted
2008-07-28 Vendor fixed issue in cvs, no new stable release yet
2008-07-28 Advisory published

CVE Information

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-3100 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.

Credits and copyright

This vulnerability was discovered by Fabian Fingerle (published with help from Hanno Boeck).
It's licensed under the creative commons attribution license.

Fabian Fingerle, 2008-07-28, http://www.fabian-fingerle.de