Main Menu
Network
Sponsor
Top 10 Sites
Partners
|
|
Top Submit newsSubscribe 
Communication | Computer Crime | Digital Audio, Video, Photo | General News | Hardware | Internet | Mobile | PDA | Security | Software | Vulnerability |
Previous articleBack to news listNext article
| Sponsored links | Want to become one of our authors and see your work published on ALLSeek.iNFO ?
| | Apache mod_survey HTML Report Format Lets Remote Users Conduct Cross-Site Scripting Attacks |
|---|
Categorie: Vulnerability
Posted: 2004-03-24 by ReCall
Views: 349
Source: Click here
| Current Rating: Not rated
|
| | Details |
|---|
Description: An input validation vulnerability was reported in Apache mod_survey. A remote user can conduct cross-site scripting attacks against survey administrators.
It is reported that mod_survey does not fully filter HTML code from user-supplied input in the survey text field answers. A remote user can submit specially crafted text as a survey answer. Then, when the target administrator exports the data in HTML table format and views the table, arbitrary scripting code will be executed by the target user's browser. The code will originate from the site running the mod_survey software and will run in the security context of that site. As a result, the code will be able to access the target administrator's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target administrator via web form to the site, or take actions on the site acting as the administrator user.
A similar filtering flaw is reported in the logging of malformed query strings.
The vendor credits Niklas Deutschmann with reporting this flaw.
Impact: A remote user can access the target administrator's cookies (including authentication cookies), if any, associated with the site running the mod_survey software, access data recently submitted by the target administrator via web form to the site, or take actions on the site acting as the target administrator.
Solution: The vendor has released a fixed version (3.0.16-pre2 stable and 3.2.0-pre4 development), available at:
http://gathering.itm.mh.se/modsurvey/download.php
| | Syndication |
|---|
Permalink Email this
The URI to TrackBack this entry is:
http://allseek.info/news/trackback.php?id=779
| | User comments (post your comments ) |
|---|
Only registerd members can post comments and articles
|
| Previous articleBack to news listNext article
|
|
|
|
InterJOB.su
|
