OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: securitysatus.com
Date: Mon Jun 17 2002 - 18:05:11 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) Background:
    DeepMetrix (formerly MediaHouse) LiveStats is server
    software that provides an interactive web based summary
    of website traffic based on HTTP server logs.

    Details:
    By crafting special user-agent or referer headers on
    HTTP requests to a web site that is monitored by
    LiveStats, arbitrary javascript can be executed in the
    browser of a person viewing the LiveStats HTML reports.
    LiveStats displays the browser-tag and referer strings
    in its reports verbatim, including any script tags.
    Script that discloses the URL of the LiveStats
    interface could allow access that is normally protected
    by a private ServerID.

    Demonstration:
    Browse http://www.deepmetrix.com/ with a user-agent of
    XXX<script>alert("foo");</script>
    Then browse the Demo of LiveStats available on the
    Deepmetrix web site at:
    http://livestats.deepmetrix.com/stats?type=login&action=login&serverid=deepmetrix&username=guest
    In the "Tabular - Who's On - XX Active Visitors" area
    of the "Who's On" page, expand the IP address that
    fetched. The next window will include the alert() popup.

    Versions between 5.03 and 6.2.1 are affected. Vendor
    was notified on 5/17/2002.

    Daniel Bowers
    Satus Technology LLC
    securitysatus.com