| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 30 Jul 2012 15:17:31 +0200 From: "Oliver Karow" <Oliver.Karow@....de> To: bugtraq@...urityfocus.com Subject: Dr. Web Control Center Admin UI Remote Script Code Injection Dr. Web Control Center Admin UI Remote Script Code Injection ============================================================= Affected Products/Versions -------------------------- Product Name: Dr. Web Enterprise Server Version Number: 6.00.3.201111300 Product/Company Information --------------------------- >From Dr. Web's website: "Dr.Web Enterprise Security Suite is a set of Dr.Web software products incorporating anti-viruses for protection of all hosts in a corporate network and a single Control Center for managing most of the products." Dr. Web's Website can be found at http://www.drweb.com Vulnerability Description ------------------------- Dr. Web Enterprise Security Suite is managed via a web based interface called Control Center. If an attacker suplies java script code instead of a username on the login page, this script code will be automatically executed every time an administrative user is viewing the audit log. This attack can be used to steal authentication cookies or to drive further attacks. Patch Information ----------------- Patch is available from vendor. Advisory Information --------------------- This: http://www.oliverkarow.de/research/drweb.txt History ------- 13/07/2012 - Informing Dr. Web about vulnerability 16/07/2012 - Initial response from Dr. Web 23/07/2012 - Fix successfully tested, sent response to Dr. Web 30/07/2012 - Advisory release
Powered by blists - more mailing lists