BRS WebWeaver ISAPISkeleton.dll Cross-Site Scripting Vulnerability
BID:9516
Info
BRS WebWeaver ISAPISkeleton.dll Cross-Site Scripting Vulnerability
| Bugtraq ID: | 9516 |
| Class: | Input Validation Error |
| CVE: |
CVE-2004-2128 |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 28 2004 12:00AM |
| Updated: | Jul 12 2009 02:06AM |
| Credit: | Discovery of this issue is credited to Oliver Karow. |
| Vulnerable: |
BRS WebWeaver 1.0.7 |
| Not Vulnerable: | |
Discussion
BRS WebWeaver ISAPISkeleton.dll Cross-Site Scripting Vulnerability
BRS WebWeaver has been reported prone to a cross-site scripting vulnerability. An attacker may create a malicious link to the vulnerable server that includes embedded HTML and script code. If this link is followed by a victim user, hostile code embedded in the link may be rendered in the user's browser in the context of the server.
Successful exploitation could permit theft of cookie-based authentication credentials or other attacks.
This issue was reported in BRS WebWeaver 1.07. Earlier versions may also be affected.
BRS WebWeaver has been reported prone to a cross-site scripting vulnerability. An attacker may create a malicious link to the vulnerable server that includes embedded HTML and script code. If this link is followed by a victim user, hostile code embedded in the link may be rendered in the user's browser in the context of the server.
Successful exploitation could permit theft of cookie-based authentication credentials or other attacks.
This issue was reported in BRS WebWeaver 1.07. Earlier versions may also be affected.
Exploit / POC
BRS WebWeaver ISAPISkeleton.dll Cross-Site Scripting Vulnerability
The following example was provided:
http://www.example.com/scripts/ISAPISkeleton.dll?<script>alert("Ooops!")</script>
The following example was provided:
http://www.example.com/scripts/ISAPISkeleton.dll?<script>alert("Ooops!")</script>
Solution / Fix
BRS WebWeaver ISAPISkeleton.dll Cross-Site Scripting Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
BRS WebWeaver ISAPISkeleton.dll Cross-Site Scripting Vulnerability
References:
References:
- BRS WebWeaver - HTTP & FTP Server (BRS)
- BRS WebWeaver Webserver Cross Site Scripting Vulnerability (Oliver Karow
)