[SCSA-013] Cross Site Scripting vulnerability in testcgi.exe

From: Grégory (gregory.lebras@security-corporation.com)
Date: Thu Mar 27 2003 - 06:38:05 PST

Next message: Arhont Information Security: "SNMP security issues in D-Link DSL Broadband Modem/Router"

Previous message: sir.mordredat_private: "@(#)Mordred Labs advisory - PHP for Win32: buffer overflow in openlog() function"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) ________________________________________________________________________ Security Corporation Security Advisory [SCSA-013] ________________________________________________________________________ PROGRAM: Ceilidh HOMEPAGE: http://www.lilikoi.com VULNERABLE VERSIONS: 2.70 and prior ________________________________________________________________________ DESCRIPTION ________________________________________________________________________ "Ceilidh is a Web-based threaded discussion engine that features automatic text to HTML conversion, file attachment, e-mail notification, automatic message expiration, multiple levels of security and much more." (direct quote from http://www.lilikoi.com) DETAILS & EXPLOITS ________________________________________________________________________ ¤ Cross Site Scripting : A exploitable bug was found on Ceilidh which cause script execution on client's computer by following a crafted url. This kind of attack known as "Cross-Site Scripting Vulnerability" is present in testcgi.exe file, an attacker can input specially crafted links and/or other malicious scripts. - Exploits : http://[target]/cgi-bin/testcgi.exe?[hostile_code] The hostile code could be : [script]alert("Cookie="+document.cookie)[/script] (open a window with the cookie of the visitor.) (replace [] by <>) SOLUTIONS ________________________________________________________________________ No solution for the moment. VENDOR STATUS ________________________________________________________________________ The vendor has reportedly been notified. LINKS ________________________________________________________________________ - http://www.security-corp.org/index.php?ink=4-15-1 - Version Française : http://www.security-corporation.com/index.php?id=advisories&a=013-FR ------------------------------------------------------------------------ Grégory Le Bras aka GaLiaRePt | http://www.Security-Corporation.com ------------------------------------------------------------------------

Next message: Arhont Information Security: "SNMP security issues in D-Link DSL Broadband Modem/Router"
Previous message: sir.mordredat_private: "@(#)Mordred Labs advisory - PHP for Win32: buffer overflow in openlog() function"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Mar 27 2003 - 10:07:06 PST