| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20060208000120.23A12049@dm22.mta.everyone.net>
Date: Wed, 8 Feb 2006 00:01:20 -0800 (PST)
From: Adrian Castro <acastro@...uxquestions.net>
To: bugtraq@...urityfocus.com
Subject: WiredRed EPOP XSS Vulnerability
WiredRed EPOP XSS Vulnerability
---Summary---
Software Affected: EPOP WebConference Server
Software Versions: 4.1.0.755
Vendors URL: www.wiredred.com
Vulnerability Type: Cross Site Scripting
Proof of Concept: An exploit is not required
Threat Level: Low
---Product Description---
e/pop from WiredRed provides a complete solution for all of your real-time communications requirements: web and desktop video conferencing, secure IM and alert messaging. As a user, you'll love the hassle free interface and breadth of options that will enhance your training, sales and collaboration.
---Vulnerability Description---
When creating public or private conferences in e/pop server, the topic name is not properly sanitized. This allows for a xss attack in which every user who visits the root (login) page for the e/pop web server can be fooled into entering their login information on a remote server among other things. By default, e/pop is enabled without or with optional SSL connections to the web server. Any standard authenticated user can perform this attack on all other users or visitors of the web server.
---Solution---
None at this time.
---credit---
Adrian Castro
_____________________________________________________________
Thank you for choosing LinuxQuestions.
http://www.linuxquestions.org
Powered by blists - more mailing lists