lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20080224214843.23047.qmail@securityfocus.com>
Date: 24 Feb 2008 21:48:43 -0000
From: nnposter@...closed.not
To: bugtraq@...urityfocus.com
Subject: Packeteer Products File Listing XSS

Packeteer Products File Listing XSS


Product:

Packeteer PacketShaper
http://www.packeteer.com/products/packetshaper/

Packeteer PolicyCenter
http://www.packeteer.com/products/packetshaper/policycenter.cfm


The web management interface of several Packeteer products contains a cross-site scripting vulnerability in the file listing function. Parameter FILELIST, specified in an arbitrary page request, is not sufficiently sanitized before it gets embedded in the HTML output of the Error Report page. (The parameter value is limited to 64 characters.)

Example:
https://(target)/whatever.htm?FILELIST=%3C/script%3E%3Cbody+onLoad=alert(%26quot%3BXSS%26quot%3B)%3E%3Cscript%3E


The vulnerability has been identified in version 8.2.2. However, other versions may be also affected.


Solution:
Do not stay logged into the Packeteer web management interface while browsing other web sites.


Found by:
nnposter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ