('binary' encoding is not supported, stored as-is) Background: DeepMetrix (formerly MediaHouse) LiveStats is server software that provides an interactive web based summary of website traffic based on HTTP server logs. Details: By crafting special user-agent or referer headers on HTTP requests to a web site that is monitored by LiveStats, arbitrary javascript can be executed in the browser of a person viewing the LiveStats HTML reports. LiveStats displays the browser-tag and referer strings in its reports verbatim, including any script tags. Script that discloses the URL of the LiveStats interface could allow access that is normally protected by a private ServerID. Demonstration: Browse http://www.deepmetrix.com/ with a user-agent of XXX<script>alert("foo");</script> Then browse the Demo of LiveStats available on the Deepmetrix web site at: http://livestats.deepmetrix.com/stats?type=login&action=login&serverid=deepmetrix&username=guest In the "Tabular - Who's On - XX Active Visitors" area of the "Who's On" page, expand the IP address that fetched. The next window will include the alert() popup. Versions between 5.03 and 6.2.1 are affected. Vendor was notified on 5/17/2002. Daniel Bowers Satus Technology LLC securityat_private
This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 11:58:01 PDT