Red Hat Bugzilla – Bug 1018114
CVE-2013-4433 xhprof: XSS vulnerability in run parameter
Last modified: 2016-03-04 07:12:33 EST
xhprof, a hierarchial profiler for PHP, was found to have a Cross-Site Scripting vulnerability in it's run parameter, because it fails to sufficiently sanitize the user input.
To exploit this vulnerability, an attacker must entice an unsuspecting user to follow a malicious URI, which could compromise the cookie-based authentication information, execute arbitrary client-side scripts in the context of the browser, or obtain sensitive information.
The issue is known to be fixed in Xhprof 0.9.4.
Created php-pecl-xhprof tracking bugs for this issue:
Affects: fedora-all [bug 1018115]
Affects: epel-6 [bug 1018116]
Note : in xhprof RPM, the WebUI is protected and only allowed from the server (localhost).
CVE request: http://www.openwall.com/lists/oss-security/2013/10/14/1
php-pecl-xhprof-0.9.4-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.