lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <E1B5xLd-0003T8-00@gadolinium.btinternet.com>
From: r.i.c.h at btopenworld.com (Richard Maudsley)
Subject: Fw: Re: Centrinity FirstClass HTTP Server Cross Site Scripting


-- Original message --
From: "FirstClass Mail Tech" <mailtech@...stclass.com>
To: "Richard Maudsley" <r.i.c.h@...penworld.com>
Date: 
Subject: Re: Centrinity FirstClass HTTP Server Cross Site Scripting
---------------------------
Hello Richard,

Sorry if you get this twice.   This is a response directly from our
Engineering department.

>Description: Injected code is rendered in the context of the vulnerable
>page.
>
>Exploit:
>http://[TARGET]/.Templates/Commands/Upload.shtml?TargetName=<script>alert('X
>SS')</script>
>
>It may be possible to steal cookies from users who are logged into the
>system.
>
"This is a bug, although not quite as serious as the author might think. 
Basically the cookie contains no actual decodable data (like password,
userID, etc.), it is short lived (duration of session), and it is usually IP
address sensitive (config dependant). To quote my expert:

It does, though (like most such vulnerabilities) it would require a fair
amount of human engineering to exploit.  What this would allow is for
someone
to acquire a user's login cookie.  The user would have to be logged in on
the
web and click on a malicious URL (possibly in a message), which would allow
a
user to harvest their current login cookie.  It won't be useful if the
"don't
allow sessions to switch IP address" checkbox is on in the advanced web &
FTP
form, or if the user logs out (or times out) before the harvester can use
the
cookie (typically, a matter of minutes).  Overall I would rate this as a
"low" vulnerability.
...
If a given customer needs immediate relief, have them edit their
Upload.shtml
file and find and remove the following bit of code (its a small file, so it
isn't hard to find):

<!--#if expr="<X-FC-URL-PARAMETER TargetName EXISTS>"--><X-FC-URL-PARAMETER
TargetName>&nbsp;<!--#endif-->

>It is likely that other pages are also vulnerable.
The only other pages are some error pages which can be similarly modified."

Thank you, 

FirstClass Mail Tech
Open Text, FirstClass Messaging Division
"Email, fax, voice-mail, calendaring, conferencing....get to your
information
from any device, anywhere, anytime."
Come and see our new FirstClass Support website:
http://www.firstclass.com/support/
-- End of message --

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ