============================================= INTERNET SECURITY AUDITORS ALERT 2006-004 - Original release date: April 18, 2006 - Last revised: November 13, 2007 - Discovered by: Jesus Olmos Gonzalez - Severity: 1/5 ============================================= I. VULNERABILITY ------------------------- VTLS.web.gateway cgi is vulnerable to XSS II. BACKGROUND ------------------------- vtls.web.gateway cgi is a product from Visionary Technology in Library Solutions. VTLS Inc. is a leading global company that creates and provides visionary technology in library solutions. The company provide these solutions to a diverse customer base of more than 900 libraries in over 32 countries. III. DESCRIPTION ------------------------- VTLS is vulnerable to a cross site scripting attack, it is possible to execue html and javascript code in the browser of who cliks in a malicious crafted link. Here is a simple proof of concept that change html page as example. An attacker could intercept the keyboard, or make CSRF to submit a form of other page. IV. PROOF OF CONCEPT ------------------------- http://somevtlsweb.net/cgi-bin/vtls/vtls.web.gateway?authority=1&searchtype=subject%22%3E%3Ch1%3E%3Cmarquee%3EXSS%20bug%3C/marquee%3E%3C/h1%3E%3C!--&kind=ns&conf=080104+++++++ VI. SYSTEMS AFFECTED ------------------------- All with this solution up to 48.1.0 VII. SOLUTION ------------------------- Update to Version 48.1.1 VII. SOLUTION ------------------------- Update to Version 48.1.1 VIII. REFERENCES ------------------------- www.vtls.com IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com). X. REVISION HISTORY ------------------------- April 18, 2006: Initial release. November 13, 2007: Last revision. XI. DISCLOSURE TIMELINE ------------------------- February 27, 2006: The vulnerability discovered by Internet Security Auditors. April 18, 2006: Initial vendor notification sent. No response April 26, 2006: Second vendor notification sent. Ping pong responses. September 14, 2006: Third vendor notification sent. No response. December 01, 2006: Fourth vendor notification sent. No response. December 04, 2006: New patch coming. No schedule. January 02, 2007: Fifth vendor contact to ask for planning. No response. January 22, 2007: Sixth vendor contact to ask for planning. Scheduled. March 23, 2007: Seventh vendor contact to ask for planning. Re-Scheduled. May 22, 2007: Eigth vendor contact to ask for planning. Re-Scheduled. October 01, 2007: Nineth vendor contact to ask for planning. Patch will be published in October. November 09, 2007: Tenth. Version 48.1.1 has been approved for general release and published. November 13, 2007: Advisory Published. XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.