lemonsoftwarero wrote on Monday, April 16, 2007:
To exploit this issue, an attacker must entice an unsuspecting victim into following a malicious URI.
The following proof-of-concept URI is available:
http://www.example.com/openemr/interface/login/login_frame.php?rootdir=[XSS]
Source: http://www.securitydot.net/vuln/exploits/vulnerabilities/articles/19826/vuln.html
We can rid of it implementing some antiXSS function or better, a class for input cleaning. I’ve personally have made such a class; if you agree, I can implement it easily.
Regards.