mailing list archives
Fw: Re: Centrinity FirstClass HTTP Server Cross Site Scripting
From: "Richard Maudsley" <r.i.c.h () btopenworld com>
Date: Wed, 24 Mar 2004 01:38:38 +0000
-- Original message --
From: "FirstClass Mail Tech" <mailtech () firstclass com>
To: "Richard Maudsley" <r.i.c.h () btopenworld com>
Subject: Re: Centrinity FirstClass HTTP Server Cross Site Scripting
Sorry if you get this twice. This is a response directly from our
Description: Injected code is rendered in the context of the vulnerable
It may be possible to steal cookies from users who are logged into the
"This is a bug, although not quite as serious as the author might think.
Basically the cookie contains no actual decodable data (like password,
userID, etc.), it is short lived (duration of session), and it is usually IP
address sensitive (config dependant). To quote my expert:
It does, though (like most such vulnerabilities) it would require a fair
amount of human engineering to exploit. What this would allow is for
to acquire a user's login cookie. The user would have to be logged in on
web and click on a malicious URL (possibly in a message), which would allow
user to harvest their current login cookie. It won't be useful if the
allow sessions to switch IP address" checkbox is on in the advanced web &
form, or if the user logs out (or times out) before the harvester can use
cookie (typically, a matter of minutes). Overall I would rate this as a
If a given customer needs immediate relief, have them edit their
file and find and remove the following bit of code (its a small file, so it
isn't hard to find):
<!--#if expr="<X-FC-URL-PARAMETER TargetName EXISTS>"--><X-FC-URL-PARAMETER
It is likely that other pages are also vulnerable.
The only other pages are some error pages which can be similarly modified."
FirstClass Mail Tech
Open Text, FirstClass Messaging Division
"Email, fax, voice-mail, calendaring, conferencing....get to your
from any device, anywhere, anytime."
Come and see our new FirstClass Support website:
-- End of message --
Full-Disclosure - We believe in it.