[26907] in bugtraq
Cross-Site Scripting in Aestiva's HTML/OS
daemon@ATHENA.MIT.EDU (eax@3xT.org)
Tue Sep 3 17:18:52 2002
Date: Tue, 3 Sep 2002 13:08:14 -0700 (PDT)
From: eax@3xT.org
To: bugtraq@securityfocus.com
Message-ID: <Pine.LNX.4.44.0209031252200.17113-100000@sorrow.3xt.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
"Aestiva HTML/OS is a high-performance database engine and development suite for building advanced web sites and web-based software products."
SUMMARY:
The Aestiva HTML/OS CGIs appear vulnerable to XSS due to poor error
reporting (no metacharacter filtering).
Anything you want can be appended to any URL ending in '/' in an area of
the website where HTML/OS is handling the request. The resulting error message
will echo back the unfiltered request.
EXAMPLES:
I'll refrain from listing real-world examples (s/www.example.com/<target>/):
http://www.example.com/pages/htmlos/%3Cscript%3Ealert(document.domain);%3C/script%3E
http://www.example.com/cgi-bin/erba/start/%3Cscript%3Ealert(document.domain);%3C/script%3E
http://www.exmaple.com/cgi-bin/start.cgi/%3Cscript%3Ealert(document.domain);%3C/script%3E
Thousands of websites are currently vulnerable according to Google, including
Aestiva.com.
VENDOR STATUS:
Has been notified but has not responded.
-------------------------------------------------------------------------------
eax / 3xT
