[UNIX] XSS and Path Disclosure in Network Query Tool
From: SecuriTeam (support_at_securiteam.com)
Date: 05/04/04
- Previous message: SecuriTeam: "[NT] Titan FTP Server Aborted LIST DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 4 May 2004 15:43:07 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
XSS and Path Disclosure in Network Query Tool
------------------------------------------------------------------------
SUMMARY
" <http://www.shat.net/php/nqt/> Network Query Tool (NQT) is a one-stop
solution for getting information about a domain or IP address. Instead of
manually using different UNIX commands or visiting numerous websites to
"investigate" a host, just load Network Query Tool and enter the hostname
or IP. NQT does the rest".
Vulnerabilities in Network Query Tool allow a malicious user to execute
Cross-site Scripting attack and reveal the complete path of the script.
DETAILS
Vulnerable Systems:
* Network Query Tool (nqt.php) version 1.6
Path Disclosure:
Unchecked user submitted variable "portNum":
http://localhost/nqt.php?target=example.com&queryType=all&portNum=foobar
Will return the standard PHP error messages, revealing full path to
script:
Warning: fsockopen() expects parameter 2 to be long, string given in
D:\apache_wwwroot\nqt.php on line 305
Port foobar does not appear to be open.
This happens since the script does not check validity of the portNum.
Cross-Site Scripting:
XSS through unsanitaized user submitted variable "portNum":
http://localhost/nqt.php?target=foobar.com&queryType=all&portNum=foobar[xss code here]
ADDITIONAL INFORMATION
The information has been provided by <mailto:come2waraxe@yahoo.com> Janek
Vind "waraxe".
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] Titan FTP Server Aborted LIST DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
