• IDP Daily Update #1312
  posted: 11/18/08
  
• NSM Daily Update #1312
  posted: 11/18/08
  
• Deep Inspection 5.3r5 and above, 5.4, 6.0 #1312
  posted: 11/18/08
  
• Deep Inspection 5.1, 5.2, 5.3r4 and below #1300
  posted: 11/18/08
  
• Deep Inspection 5.0 #1132
  posted: 04/01/08
  
• Antivirus
  posted: 11/17/08

Text Size:        

• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Annuaire (Directory) HTML Injection Vulnerability

Severity: MODERATE

Description:

Annuaire (Directory) is web-based address book and directory application implemented in PHP.

Annuaire (Directory) is prone to an HTML-injection vulnerability. The application fails to properly sanitize user-supplied input before using it in dynamically generated content. Specifically, user-supplied input to the 'COMMENTAIRE' parameter of 'inscription.php' isn't properly sanitized.

Attacker-supplied HTML and script code would be executed in the context of the affected site, potentially allowing an attacker to steal cookie-based authentication credentials. An attacker could also exploit this issue to control how the site is rendered to the user; other attacks are also possible.

Affected Products:

• Annuaire Annuaire 1.0.0

References:

• Annuaire (Directory): Annuaire (Directory) Homepage