Trustwave SpiderLabs has published a new advisory today for a Cross-Site Scripting vulnerability discovered in Support Incident Tracker (aka SiT!). For those who are unfamiliar with SiT!, it is an open-source software used for tracking technical support calls/emails. Currently, SiT! version 3.66 and prior are affected by a XSS vulnerability found in the setup.php page (note: setup.php exists after the installation successfully completes and the page is vulnerable if left unpatched). Jonathan Claudius who is a member of the SpiderLabs Research team discovered this vulnerability while implementing TrustKeeper probes for this product.
The Support Incident Tracker team has acknowledged this security issue and they have published a fix for it in version 3.67. It is recommended to upgrade to the latest version of SiT! or download the patch which is available here: http://sitracker.wordpress.com/2012/08/18/news-august-2012/
Additionally, Trustwave SpiderLabs has deployed protections for this finding in the ModSecurity Commercial Rules Feed. Also, the Trustwave's Intrusion Detection System and TrustKeeper vulnerability scanning solution has been updated to detect this finding.