[30194] in bugtraq
[AP] Owl Intranet Engine CSS Bug
daemon@ATHENA.MIT.EDU (methodic@libpcap.net)
Wed May 21 12:48:21 2003
Date: Wed, 21 May 2003 10:22:11 -0400
From: methodic@libpcap.net
To: bugtraq@securityfocus.com
Message-ID: <20030521142211.GA29568@clotch.libpcap.net>
Mail-Followup-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="J2SCkAp4GZ/dPZZf"
Content-Disposition: inline
--J2SCkAp4GZ/dPZZf
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
CSS bug allowing in session id stealing.. advisory attached.
--
+ Microsoft doesn't believe in free() code.
--J2SCkAp4GZ/dPZZf
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="0005_AP.owl.txt"
- -- ------------------------- -- -
[>(] AngryPacket Security Advisory [>(]
- -- ------------------------- -- -
+--------------------- -- -
+ advisory information
+------------------ -- -
author: methodic <methodic@libpcap.net>
release date: 05/21/2003
homepage: http://sec.angrypacket.com
advisory id: 0x0005
+-------------------- -- -
+ product information
+----------------- -- -
software: Owl Intranet Engine
vendor: Chris Vincent
homepage: http://owl.sourceforge.net
description:
"Owl is a multi user document repository (knowledgebase) system written
in PHP4 for publishing of files/documents onto the web for a corporation,
small buisness, group of people, or just for yourself."
+---------------------- -- -
+ vulnerability details
+------------------- -- -
problem: Cross-Site Scripting
affected: Owl 0.71 and previous versions
explaination: Owl doesn't properly filter metacharacters, allowing injection
of JavaScript code. Since Owl doesn't assign cookies, and since
the JavaScript code is placed before the form tag, you need to
reference the first link in order to steal someone's session id.
risk: Medium
status: Vendor was notified 05/18/03, fix is available.
exploit: Type the following into the 'Search' field:
<script>alert(document.links[0].href);</script>
fix: Upgrade to a newer version of Owl
+-------- -- -
+ credits
+----- -- -
Bug was found by methodic of AngryPacket security group.
gr33tz to victim1.. see j00 in KCMO!@#
+----------- -- -
+ disclaimer
+-------- -- -
The contents of this advisory are Copyright (c) 2003 AngryPacket
Security, and may be distributed freely provided that no fee is charged
for distribution and that proper credit is given. As such, AngryPacket
Security group, collectively or individually, shall not be held liable
or responsible for the misuse of any information contained herein.
- -- ------------------------- -- -
[>(] AngryPacket Security Advisory [>(]
- -- ------------------------- -- -
--J2SCkAp4GZ/dPZZf--
