Written by RoMaNcYxHaCkEr
Tuesday, 17 March 2009 21:53
Kipper Local File Include and Cross Site Scripting Vulnerabilities
Input Validation Error
Feb 05 2009 12:00AM
Mar 17 2009 07:46PM
Carson Fire Kipper 2.01
Kipper is prone to a local file-include vulnerability and a cross-site scripting vulnerability because it fails to
properly sanitize user-supplied input.
An attacker can exploit the local file-include vulnerability using directory-traversal strings to view and execute
local files within the context of the webserver process.
The attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an
unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication
credentials and launch other attacks.
Kipper 2.01 is vulnerable; other versions may also be affected.
Attackers can exploit these issues via a browser. To exploit a cross-site scripting issue, an attacker must
entice an unsuspecting victim into visiting a malicious URI.
The following example URIs are available:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of
more recent information, please mail us at:
http://www.bookelves.com/kipper (Carson Fire)