|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Full-Disclosure] Centrinity FirstClass HTTP Server Cross Site Scripting
From: Richard Maudsley (r.i.c.h
btopenworld.com)
Date: Mon Mar 22 2004 - 13:30:03 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Product: FirstClass HTTP Server
Developer: Centrinity
URL: http://www.centrinity.com
Description: Injected code is rendered in the context of the vulnerable
page.
Exploit:
http://[TARGET]/.Templates/Commands/Upload.shtml?TargetName=<script>alert('XSS')</script>
It may be possible to steal cookies from users who are logged into the
system.
It is likely that other pages are also vulnerable.
As usual, OpenText will not follow up this report, and it can be filed away
with numerous other unpatched FirstClass bugs, hacks and exploits:
http://search.securityfocus.com/swsearch?query=firstclass&metaname=swishtitle
Enjoy,
Richard Maudsley
www.mindblock.org
hey, jaw :)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]