[原文]Cross-site scripting (XSS) vulnerability in adframe.php in phpAdsNew 2.0.4-pr1, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the refresh parameter.
phpPgAds and phpAdsNew contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the refresh variable upon submission to the 'adframe.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Upgrade phpPgAds or phpAdsNew to version 2.0.4-pr2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
phpAdsNew is reportedly affected by a remote cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.
An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
No exploit is required.
The following proof of concept is available: http://www.example.com/[phpAdsNew]/adframe.php?refresh=example.com'>[XSS code]
The vendor has released phpAdsNew 2.0.4-pr2 to address this issue.