lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 03 Jul 2007 18:01:30 +0100
From: "A. R." <r00t@...thernfortress.net>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Cross Site Scripting in Oliver Library Management System

BACKGROUND
==========
"Oliver is the web-based Library Management System for Schools. Softlink
has built on the understanding of thousands of school clients, over many
years, and has designed a new system for school libraries and learning
resource centres in the 21st century"
-- from http://www.softlink.co.uk:


DETAILS
=======
During a penetration test for an educational institution, several XSS
vulnerabilities were found in their Oliver installations. Due to the
test constraints it was not possible to ascertain the exact version of
the product, but all instances that have been tested have been found
trivially vulnerable

Some of the vulnerable input fields include:

1) GET parameters
http://www.victim.com/oliver/gateway/gateway.exe?X_=000f&application=Oliver&displayform=main&updateform="><script>alert("XSS");</script>
http://www.victim.com/oliver/gateway/gateway.exe?X_=000f&displayform=main"><script>alert("XSS");</script>

2) POST parameters in search forms
In the Basic Search page, the following parameters are vulnerable:
- TERMS
- database
- srchad
- SuggestedSearch
- searchform

As a Proof-Of-Concept exploit, the following string can be appended to
any of the listed parameters:
"><script>alert("xss");</script>

3) Username login field:
The application also fails to properly filter the username parameter, as
can be seen when passing to the application the following string as
username:

--><script>alert("xss")</script>



VENDOR RESPONSE
===============
15/06/2007 Vendor contacted. No response received
25/06/2007 Vendor contacted for the second time. No response received
03/07/2007 Advisory published

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ