WebBatch WebBatch.EXE Cross-Site Scripting and Information Disclosure Vulnerabilities
BID:25744
Info
WebBatch WebBatch.EXE Cross-Site Scripting and Information Disclosure Vulnerabilities
| Bugtraq ID: | 25744 |
| Class: | Unknown |
| CVE: |
CVE-2007-5011 CVE-2007-5010 |
| Remote: | Yes |
| Local: | No |
| Published: | Sep 20 2007 12:00AM |
| Updated: | Jul 05 2016 10:00PM |
| Credit: | Doz of hackerscenter.com discovered these issues. |
| Vulnerable: |
Wilson WindowWare WebBatch 0 |
| Not Vulnerable: | |
Discussion
WebBatch WebBatch.EXE Cross-Site Scripting and Information Disclosure Vulnerabilities
WebBatch is prone to a cross-site scripting vulnerability and an information-disclosure vulnerability because it fails to adequately sanitize user-supplied input.
An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
The attacker may leverage the information-disclosure issue to obtain potentially sensitive information that could aid in further attacks.
Reports indicate that WebBatch 2007D is not affected by the cross-site scripting issue.
WebBatch is prone to a cross-site scripting vulnerability and an information-disclosure vulnerability because it fails to adequately sanitize user-supplied input.
An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
The attacker may leverage the information-disclosure issue to obtain potentially sensitive information that could aid in further attacks.
Reports indicate that WebBatch 2007D is not affected by the cross-site scripting issue.
Exploit / POC
WebBatch WebBatch.EXE Cross-Site Scripting and Information Disclosure Vulnerabilities
Attackers can exploit these issues via a web browser. To exploit a cross-site scripting vulnerability, an attacker must entice an unsuspecting user to follow a maliciously crafted URI.
The following example URIs are available:
http://www.example.com/webcgi/webbatch.exe?XSS
http://www.example.com/webcgi/webbatch.exe?PATH/XSS
http://www.example.com/webcgi/webbatch.exe?dumpinputdata
Attackers can exploit these issues via a web browser. To exploit a cross-site scripting vulnerability, an attacker must entice an unsuspecting user to follow a maliciously crafted URI.
The following example URIs are available:
http://www.example.com/webcgi/webbatch.exe?XSS
http://www.example.com/webcgi/webbatch.exe?PATH/XSS
http://www.example.com/webcgi/webbatch.exe?dumpinputdata
Solution / Fix
WebBatch WebBatch.EXE Cross-Site Scripting and Information Disclosure Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
References
WebBatch WebBatch.EXE Cross-Site Scripting and Information Disclosure Vulnerabilities
References:
References:
- Vendor Homepage (WebBatch)
- WebBatch Applications Cross Site Scripting Vulrnability (Doz)