| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 8 Jun 2010 22:56:31 +1000 From: Patrick Webster <patrick@...hack.com> To: bugtraq@...urityfocus.com Subject: Paessler - PRTG Traffic Grapher XSS aushack.com - Vulnerability Advisory ----------------------------------------------- Release Date: 08-Jun-2010 Software: Paessler - PRTG Traffic Grapher http://www.paessler.com "PRTG Network Monitor runs 24/7 on a Windows-based machine within your network, recording network usage parameters. Recorded data is stored in a database for historic reports." Versions tested: Paessler PRTG Traffic Grapher v6.2.1.945 Vulnerability discovered: HTML / Javascript Injection (XSS) Vulnerability impact: Medium - If an authenticated user was enticed to visit a malicious URL, it would be possible to steal the authentication cookie etc. Vulnerability information: The 'url' GET parameter of 'login.htm' is vulnerable. Example: http://[victim]:8080/login.htm?url="><script>alert(document.cookie)</script> References: aushack.com advisory http://www.aushack.com/201006-prtg.txt Credit: Patrick Webster ( patrick@...hack.com ) Disclosure timeline: 05-Jan-2009 - Discovered during audit. 06-Jan-2009 - Notified vendor. 08-Jan-2009 - Vendor releases update 6.2.1.963/964. 08-Jun-2010 - Disclosure. EOF
Powered by blists - more mailing lists