This e-mail is to provide the correct CVE Candidate Number for the vulnerability mentioned below. The correct CVE Number is: CAN-2002-0375. The referenced SecurityTracker report contains the correct number -- it was just my e-mail that contained the error. My apologies for the cut-n-paste goof and thanks to Steve Christey for pointing this out. Stuart > Hi, > > On April 17, 2002, frog-m@n posted a message to vuln-dev with a note > about a cross-site scripting bug in a script called Sgdynamo. See: > > http://archives.neohapsis.com/archives/vuln-dev/2002-q2/0155.html > http://www.ifrance.com/kitetoua/tuto/5holes1.txt > > The vendor has since released a fix. I've included a brief extract from > http://securitytracker.com/alerts/2002/May/1004257.html with the > essential details, including information from the vendor how to obtain a > fix. CVE number is CAN-2002-0356. <<< This is the wrong number! > > Stuart > > ------------------------------------------------------------------------ > Ecometry's SGDynamo Web Application Engine Allows Remote Users to > Conduct Cross-Site Scripting Attacks > ------------------------------------------------------------------------ > > [Description]: > > A vulnerability was reported in Ecometry's SGDynamo web application > engine. A remote user can conduct cross-site scripting attacks against > users of web sites running SGDynamo. > > The 'sgdynamo.exe' script will display user-supplied data when a URL > error is encountered. The data is displayed without being properly > escaped. > > This vulnerability was recently reported by frog-m@n on the following > web site: > > http://www.ifrance.com/kitetoua/tuto/5holes1.txt > > In that post, frog-m@n indicated that the following type of URL could > be used to cause the server to display the user-supplied script code: > > http://[targethost]/sgdynamo.exe?HTNAME=<script>SCRIPT</script> > > A remote user could create HTML containing malicious scripting that, > when loaded by a target (victim) user, would cause the target user's > browser to execute the scripting. The code would appear to originate > from the web site running the Ecometry software and would run in the > security context of that site. As a result, the code could access the > target user's cookies associated with that web site. > > [Editor's notes: Ecometry was formerly known as Smith-Gardner. Also, > thanks to Krissy for her help on this, to Bryan @ Ecometry for his > cooperation, and of course to frog-m@n who discovered the flaw. > Finally, the vendor was very quick to fix this flaw once notified.] > > > [Impact Summary]: > > Disclosure of authentication information, Execution of arbitrary code > via network > > > [Impact Text]: > > A remote user could access another user's cookies associated with the > site running 'sgdynamo.exe'. > > > [Solution]: > > The vendor has released a fix for versions 5.32T and above (5.32U, > 6.1, 7.00). Customers should call their Ecometry Customer Support Rep > in order to obtain the fixed code. Customers should reference Job # > 181625-01 when requesting the code. > > ------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri May 10 2002 - 18:14:41 PDT