CVE-2004-1648

An unauthenticated remote attacker can inject arbitrary HTML or JavaScript by crafting a URL that includes malicious code in the `ShowMsg` parameter of the affected scripts [ref_id=1]. For example, visiting `/adminSection/index.asp?ShowMsg=(XSS)` causes the unsanitized payload to be rendered in the victim's browser [ref_id=1]. No authentication or special network position is required; the attacker simply lures a victim (such as an administrator) into clicking the crafted link.

The vulnerability exists in the ASP scripts `index.asp`, `ChangePassword.asp`, `users_list.asp`, and `users_add.asp` located in the `/adminSection/` directory of Password Protect [ref_id=1]. These files fail to filter or sanitize user-supplied input passed via the `ShowMsg` query-string parameter [ref_id=1].

The advisory does not include a patch or vendor-supplied fix [ref_id=1]. The vendor was contacted on 6 August 2004 but did not respond, and no updated version has been released to address the issue [ref_id=1]. To remediate, administrators must manually apply input validation and output encoding to the `ShowMsg` parameter in each of the four affected ASP files, ensuring that HTML special characters are escaped before being rendered.

The advisory provides the following proof-of-concept examples [ref_id=1]: `/adminSection/index.asp?ShowMsg=(XSS)` `/adminSection/ChangePassword.asp?ShowMsg=(XSS)` `/adminSection/users_list.asp?ShowMsg=(XSS)` `/adminSection/users_add.asp?ShowMsg=(XSS)` Replace `(XSS)` with a JavaScript payload such as `