Visnetic WebSite XSS vulnerability through HTTP Referer header --------------------------------------------------------------------------------------------- => Author: Ory Segal - Sanctum inc. http://www.sanctuminc.com/ => Release date: 09/12/2002 => Vendor: Deerfield ( http://www.deerfield.com ) The following products were found to be vulnerable: VisNetic WebSite 3.5.13.1 => Severity: High => Impact: Loss of privacy - user cookies associated with the target site may be stolen in some cases. => CVE candidate: Not assigned yet. => Summary: A Cross Site Scripting vulnerability exists when requesting a non-existent web page from VisNetic WebSite pro and injecting a malicious script in the HTTP 'Referer' header. => Description: VisNetic WebSite server, will return a customized 404 page when a requested page does not exist. This customized 404 page contains a link to the last visited web page, and by clicking on the link the user is redirected back to where he/she came from. This link, is created by using the data in the HTTP 'Referer' header, which is sent automatically by the web browser. By requesting a non-existent page, and changing the HTTP 'Referer' header to contain malicious Javascript code, an attacker may force the application to return the JavaScript code to the web browser, where it will be executed. => Example Exploit: The following request will return a JavaScript pop-up screen: GET /NonExistentPage.html HTTP/1.0 Host: TARGET Accept: */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) Referer: "></a><script>alert('Cross Site Scripting')</script> => Fix: The new version of VisNetic WebSite (3.5.15) solves this problem. You can download it from: http://www.deerfield.com/products/visnetic_website/ => Note: This XSS vulnerability (and many others) can be tested with Sanctum's web application security scanner, AppScan. /////////////////////////////////////////////////////////////////////// ========================>> Security Advisory <<======================== /////////////////////////////////////////////////////////////////////// -------------------------------------------------------------------- Visnetic WebSite XSS vulnerability through HTTP Referer header -------------------------------------------------------------------- => Author: Ory Segal - Sanctum inc. http://www.sanctuminc.com/ => Release date: 09/12/2002 => Vendor: Deerfield ( http://www.deerfield.com ) The following products were found to be vulnerable: VisNetic WebSite 3.5.13.1 => Severity: High => Impact: Loss of privacy - user cookies associated with the target site may be stolen in some cases. => CVE candidate: Not assigned yet. => Summary: A Cross Site Scripting vulnerability exists when requesting a non-existent web page from VisNetic WebSite pro and injecting a malicious script in the HTTP 'Referer' header. => Description: VisNetic WebSite server, will return a customized 404 page when a requested page does not exist. This customized 404 page contains a link to the last visited web page, and by clicking on the link the user is redirected back to where he/she came from. This link, is created by using the data in the HTTP 'Referer' header, which is sent automatically by the web browser. By requesting a non-existent page, and changing the HTTP 'Referer' header to contain malicious Javascript code, an attacker may force the application to return the JavaScript code to the web browser, where it will be executed. => Example Exploit: The following request will return a JavaScript pop-up screen: GET /NonExistentPage.html HTTP/1.0 Host: TARGET Accept: */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) Referer: "></a><script>alert('Cross Site Scripting')</script> => Fix: The new version of VisNetic WebSite (3.5.15) solves this problem. You can download it from: http://www.deerfield.com/products/visnetic_website/ => Note: This XSS vulnerability (and many others) can be tested with Sanctum's web application security scanner, AppScan.
This archive was generated by hypermail 2b30 : Thu Dec 12 2002 - 12:14:15 PST