Home page logo
/

bugtraq logo Bugtraq mailing list archives

DeepMetrix LiveStats javascript injection
From: <security () satus com>
Date: 17 Jun 2002 23:05:11 -0000



Background:
DeepMetrix (formerly MediaHouse) LiveStats is server
software that provides an interactive web based summary
of website traffic based on HTTP server logs.

Details:
By crafting special user-agent or referer headers on
HTTP requests to a web site that is monitored by
LiveStats, arbitrary javascript can be executed in the
browser of a person viewing the LiveStats HTML reports.
LiveStats displays the browser-tag and referer strings
in its reports verbatim, including any script tags.
Script that discloses the URL of the LiveStats
interface could allow access that is normally protected
by a private ServerID.

Demonstration:
Browse http://www.deepmetrix.com/ with a user-agent of
XXX&lt;script&gt;alert("foo");&lt;/script&gt;
Then browse the Demo of LiveStats available on the
Deepmetrix web site at:
http://livestats.deepmetrix.com/stats?type=login&action=login&serverid=deepmetrix&username=guest
In the "Tabular - Who's On - XX Active Visitors" area
of the "Who's On" page, expand the IP address that
fetched. The next window will include the alert() popup.

Versions between 5.03 and 6.2.1 are affected. Vendor
was notified on 5/17/2002.

Daniel Bowers
Satus Technology LLC
security () satus com


  By Date           By Thread  

Current thread:
  • DeepMetrix LiveStats javascript injection security (Jun 18)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault