JVN#99453765
Cross-site scripting vulnerability in updir.php in UPDIR.NET
Overview
updir.php in UPDIR.NET contains a cross-site scripting vulnerability in the full-text search and file upload functions.
Products Affected
- updir.php version 2.03 and earlier
Description
updir.php from UPDIR.NET is software for publishing and managing image files, etc. on web servers. By installing updir.php on a web server, users are able to upload image files, etc. on the web server and publish and manage the uploaded files. updir.php contains a cross-site scripting vulnerability in the full-text search and file upload functions.
Impact
An attacker could execute an arbitrary script on the user's web browser.
Solution
Update the Software
The developer has released updir.php version 2.04 addressing this vulnerability. It is recommended that users apply the latest updates provided by the developer.
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2007.11.09
| Measures | Conditions | Severity |
|---|---|---|
| Access Required | Routed - can be attacked over the Internet using packets |
|
| Authentication | None - anonymous or no authentication (IP addresses do not count) |
|
| User Interaction Required | Simple - the user must be convinced to take a standard action that does not feel harmful to most users, such as click on a link or view a file |
|
| Exploit Complexity | Low - little to no expertise and/or luck required to exploit (cross-site scripting) |
|
Credit
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE | |
| JVN iPedia |
JVNDB-2007-000803 |