[28175] in bugtraq
VisNetic WebSite XSS vulnerability through HTTP referer header
daemon@ATHENA.MIT.EDU (Ory Segal)
Thu Dec 12 15:14:55 2002
Message-ID: <3DF847C0.60309@sanctuminc.com>
Date: Thu, 12 Dec 2002 10:24:32 +0200
From: Ory Segal <ory.segal@sanctuminc.com>
MIME-Version: 1.0
To: BUGTRAQ@securityfocus.com, webappsec@securityfocus.com
Content-Type: multipart/mixed;
boundary="------------050308080509080101030206"
--------------050308080509080101030206
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Visnetic WebSite XSS vulnerability through HTTP Referer header
---------------------------------------------------------------------------------------------
=> Author: Ory Segal - Sanctum inc. http://www.sanctuminc.com/
=> Release date: 09/12/2002
=> Vendor: Deerfield ( http://www.deerfield.com )
The following products were found to be vulnerable:
VisNetic WebSite 3.5.13.1
=> Severity: High
=> Impact: Loss of privacy - user cookies associated with the target
site may
be stolen in some cases.
=> CVE candidate: Not assigned yet.
=> Summary: A Cross Site Scripting vulnerability exists when requesting a
non-existent web page from VisNetic WebSite pro and injecting a malicious
script in the HTTP 'Referer' header.
=> Description: VisNetic WebSite server, will return a customized 404
page when
a requested page does not exist. This customized 404 page contains a
link to the
last visited web page, and by clicking on the link the user is
redirected back to where
he/she came from. This link, is created by using the data in the HTTP
'Referer' header,
which is sent automatically by the web browser. By requesting a
non-existent page, and
changing the HTTP 'Referer' header to contain malicious Javascript code,
an attacker may
force the application to return the JavaScript code to the web browser,
where it will
be executed.
=> Example Exploit: The following request will return a JavaScript
pop-up screen:
GET /NonExistentPage.html HTTP/1.0
Host: TARGET
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Referer: "></a><script>alert('Cross Site Scripting')</script>
=> Fix: The new version of VisNetic WebSite (3.5.15) solves this
problem. You can download it from:
http://www.deerfield.com/products/visnetic_website/
=> Note: This XSS vulnerability (and many others) can be tested with
Sanctum's
web application security scanner, AppScan.
--------------050308080509080101030206
Content-Type: text/plain;
name="XSS_WebSite.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="XSS_WebSite.txt"
///////////////////////////////////////////////////////////////////////
========================>> Security Advisory <<========================
///////////////////////////////////////////////////////////////////////
--------------------------------------------------------------------
Visnetic WebSite XSS vulnerability through HTTP Referer header
--------------------------------------------------------------------
=> Author: Ory Segal - Sanctum inc. http://www.sanctuminc.com/
=> Release date: 09/12/2002
=> Vendor: Deerfield ( http://www.deerfield.com )
The following products were found to be vulnerable:
VisNetic WebSite 3.5.13.1
=> Severity: High
=> Impact: Loss of privacy - user cookies associated with the target site may
be stolen in some cases.
=> CVE candidate: Not assigned yet.
=> Summary: A Cross Site Scripting vulnerability exists when requesting a
non-existent web page from VisNetic WebSite pro and injecting a malicious
script in the HTTP 'Referer' header.
=> Description: VisNetic WebSite server, will return a customized 404 page when
a requested page does not exist. This customized 404 page contains a link to the
last visited web page, and by clicking on the link the user is redirected back to where
he/she came from. This link, is created by using the data in the HTTP 'Referer' header,
which is sent automatically by the web browser. By requesting a non-existent page, and
changing the HTTP 'Referer' header to contain malicious Javascript code, an attacker may
force the application to return the JavaScript code to the web browser, where it will
be executed.
=> Example Exploit: The following request will return a JavaScript pop-up screen:
GET /NonExistentPage.html HTTP/1.0
Host: TARGET
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Referer: "></a><script>alert('Cross Site Scripting')</script>
=> Fix: The new version of VisNetic WebSite (3.5.15) solves this problem. You can download
it from: http://www.deerfield.com/products/visnetic_website/
=> Note: This XSS vulnerability (and many others) can be tested with Sanctum's
web application security scanner, AppScan.
--------------050308080509080101030206--
