#365 jscalendar v.1.0 (test.php) Cross-Site Scripting

[Sandor Attila Gerendi]

jscalendar v.1.0 (test.php) Cross-Site Scripting

Author: Gerendi Sandor Attila
Date: April 21, 2008
Package: jscalendar
Product homepage: http://www.dynarch.com/projects/calendar/
Versions Affected: v.1.0 (Other versions may also be affected)
Severity: XSS

Input passed to "lang" parameter in "test.php" is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when malicious data is viewed.

Example:
http://somehost/somepath/jscalendar/test.php?lang="></script><script>alert(1)</script><"

Solution:
Delete the test file.

Status:
1. Contacted the author at April 21, 2008 via sourceforge tracker.