Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Fw: Re: Centrinity FirstClass HTTP Server Cross Site Scripting
From: "Richard Maudsley" <r.i.c.h () btopenworld com>
Date: Wed, 24 Mar 2004 01:38:38 +0000

-- Original message --
From: "FirstClass Mail Tech" <mailtech () firstclass com>
To: "Richard Maudsley" <r.i.c.h () btopenworld com>
Subject: Re: Centrinity FirstClass HTTP Server Cross Site Scripting
Hello Richard,

Sorry if you get this twice.   This is a response directly from our
Engineering department.

Description: Injected code is rendered in the context of the vulnerable


It may be possible to steal cookies from users who are logged into the

"This is a bug, although not quite as serious as the author might think. 
Basically the cookie contains no actual decodable data (like password,
userID, etc.), it is short lived (duration of session), and it is usually IP
address sensitive (config dependant). To quote my expert:

It does, though (like most such vulnerabilities) it would require a fair
amount of human engineering to exploit.  What this would allow is for
to acquire a user's login cookie.  The user would have to be logged in on
web and click on a malicious URL (possibly in a message), which would allow
user to harvest their current login cookie.  It won't be useful if the
allow sessions to switch IP address" checkbox is on in the advanced web &
form, or if the user logs out (or times out) before the harvester can use
cookie (typically, a matter of minutes).  Overall I would rate this as a
"low" vulnerability.
If a given customer needs immediate relief, have them edit their
file and find and remove the following bit of code (its a small file, so it
isn't hard to find):


It is likely that other pages are also vulnerable.
The only other pages are some error pages which can be similarly modified."

Thank you, 

FirstClass Mail Tech
Open Text, FirstClass Messaging Division
"Email, fax, voice-mail, calendaring, conferencing....get to your
from any device, anywhere, anytime."
Come and see our new FirstClass Support website:
-- End of message --

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]