Antville version 1.1 suffers from a cross site scripting flaw.
-----BEGIN PGP SIGNED MESSAGE-----
+++++ Antville 1.1 Cross Site Scripting +++++
Nov 09, 2005
Moritz Naumann IT Consulting & Services
info AT moritz HYPHON naumann D0T com
GPG key: http://moritz-naumann.com/keys/0x277F060C.asc
AFFECTED APPLICATION OR SERVICE
Possibly versions 1.0 and lower (untested)
Everybody knows XSS.
A XSS vulnerability has been detected in Antville. The
problem is caused by insufficient input sanitation.
By making a victim visit a specially crafted URL, it is
possible to inject client side scripting (such as
The following URL demonstrates this issue:
This may not be easily exploitable for cookie/session
stealing attacks due to the IP address lock on the session.
Server: Prevent access to the Antville installation.
There does not seem to be a patch available. Our attempts
to contact the developers were unsuccessful.
Sep 19, 2005 Discovery
Sep 19, 2005 Code maintainer notification
Sep 29, 2005 Another code maintainer notification
Nov 09, 2005 Public disclosure
Creative Commons Attribution-ShareAlike License Germany
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
Antville contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate user input when returning with an error page. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.