Airkiosk/formlib application is XSS vuln

In the last week I've found a XSS vuln into the Sutra's Airkiosk application for the realtime distribution of flights/booking and check-in interface (www.airkiosk.com).

The XSS is possible because they are using a VULN/OLD formlib.pl in their application that permits to execute any JavaScript you like:

            &HtmlError("formlib.parse", "bjelli", "Error parsing $_, aborting.\n");

if you get the error 'f you need help, call bjelli.'.

I suppose it can be related to this flying companies (I've only tryed it on Blu-express, and Jet2.com):

Aero, Jet2.com, Air southwest, manx2, airsea, republicaairways, blu-express, highland airways, blueisland, tobagoexpress, evolavia, zambian, menajet.com, snowflake, airwales and other that is can be easy found by searching on google.

The maintainer (and the flying company blu-express) has been contacted twice via mail in the last two weeks but choose not to respond at all.

Regards
Skien Received on Tue Oct 30 12:07:00 2007

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek