| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6650.1071138964@www17.gmx.net> Date: Thu, 11 Dec 2003 11:36:04 +0100 (MET) From: "Oliver Karow" <Oliver.Karow@....de> To: bugtraq@...urityfocus.com Subject: Remotely Anywhere Message Injection Vulnerability Remotely Anywhere Message Injection Vulnerability ================================================= In addition to http://www.securityfocus.com/bid/9120 i found that it is possible to inject a message into the login page of Remotely Anywhere. Its not a XSS attack, because there is no directly executed script code, even if a msg-box pops up containing the injected message (have a look at http://www.oliverkarow.de/research/ra.jpg for a screenshot). Exploiting: =========== https://host:2000/default.html?logout=asdf&reason=Please%20set%20your%20password%20to%20ABC123%20after%20login Vulnerable: =========== This vuln. was tested on "Remotely Anywhere Enterprise Edition" Discovered by: ============== oliver.karow_gmx.de www.oliverkarow.de -- +++ GMX - die erste Adresse für Mail, Message, More +++ Neu: Preissenkung für MMS und FreeMMS! http://www.gmx.net
Powered by blists - more mailing lists