Online Grades 3.2.5 Multiple XSS Vulnerabilities

Title: Online Grades 3.2.5 Multiple XSS Vulnerabilities
Advisory ID: ZSL-2011-5029
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 25.07.2011
Summary
Online Grades is the leading free-software project that allows K-12+ student grades attendance information to be posted onto a dynamic web site.
Description
Online Grades suffers from multiple cross-site scripting vulns. The issue is triggered when input passed via multiple parameters to the 'admin/admin.php' script is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Vendor
Online Grades Project Team - http://www.onlinegrades.org
Affected Version
3.2.5
Tested On
Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
Vendor Status
N/A
PoC
onlinegrades_xss.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.securityfocus.com/bid/48875
[2] http://packetstormsecurity.org/files/103384
[3] http://secunia.com/advisories/35304/
[4] http://securityreason.com/wlb_show/WLB-2011070094
[5] http://xforce.iss.net/xforce/xfdb/68793
Changelog
[25.07.2011] - Initial release
[26.07.2011] - Added reference [1] and [2]
[27.07.2011] - Added reference [3] and [4]
[28.07.2011] - Added reference [5]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk