CVE-2005-4698

An attacker crafts a URL containing JavaScript or HTML in either the `q_IP` or `q_Host` parameter, such as `http://[host]/tellme/index.php?q_Host=<script>alert(1)</script>` [ref_id=1]. When a victim visits this URL, TellMe does not sanitize the input, so the injected script is rendered and executed in the victim's browser context [ref_id=1]. No authentication or special network position is required; the attacker only needs to lure the victim into clicking the crafted link.

The advisory identifies that TellMe 1.2 and earlier does not filter malicious script content in the `q_IP` (IP) or `q_Host` (HOST) parameters processed by `index.php` [ref_id=1]. The vulnerable code path is in the handling of these query string parameters before they are rendered in the user's browser.

The advisory states the vendor released TellMe 1.3 along with a diff patch (`tellme-1.2-1.3.diff`) to address the issue [ref_id=1]. The fix likely involves properly escaping or sanitizing the `q_IP` and `q_Host` parameters before output, preventing injected script content from being interpreted as HTML/JavaScript [ref_id=1]. No further details of the patch are provided in the advisory.

1. Deploy TellMe 1.2 or earlier on a web server. 2. Open a browser and navigate to `http://[host]/tellme/index.php?q_Host=<script>alert('XSS')</script>`. 3. Observe that the JavaScript executes in the browser, confirming the cross-site scripting vulnerability [ref_id=1].