[VulnWatch] KPMG-2002032: Macromedia Sitespring Cross Site Scripting
From: Peter Gründl (pgrundl@kpmg.dk)Date: 07/17/02
- Previous message: Peter Gründl: "[VulnWatch] KPMG-2002031: Jigsaw Webserver Path Disclosure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Peter Gründl <pgrundl@kpmg.dk> To: "vulnwatch" <vulnwatch@vulnwatch.org> Date: Wed, 17 Jul 2002 11:31:55 +0200
--------------------------------------------------------------------
Title: Macromedia Sitespring Cross Site Scripting
BUG-ID: 2002032
Released: 17th Jul 2002
--------------------------------------------------------------------
Problem:
========
A malicious user could use a default error page as the basis for a
cross site scripting attack.
Vulnerable:
===========
- Macromedia Sitespring V1.2.0(277.1) on Windows 2000 Server
Details:
========
The default HTTP 500 error script does not check the contents of the
error ticket (et) parameter before outputting it. That makes it
possible to inject eg. javascript in the URL.
http://server/error/500error.jsp?et=1 Vendor URL:
Vendor response:
Additional notes:
"We will continue to provide technical support for Sitespring
Corrective action:
Author: Peter Gründl (pgrundl@kpmg.dk)
--------------------------------------------------------------------
===========
You can visit the vendor webpage here: http://www.macromedia.com
================
The vendor was notified on the 16th of April, 2002. The vendor has
since removed the trial software from the webpage. To our knowledge
there is no scheduled release date for a patch.
=================
Quoted from the vendors webpage:
through May 2004. Please continue to visit the Sitespring support
center for TechNotes, white papers, and other product information.
If you've purchased a technical support plan for Sitespring, we
will continue to provide support pursuant to the terms of your
support agreement. Even though we will not be selling annual
Sitespring support packages, you can purchase incident-based
support from a technical support engineer."
==================
Replace the error script with a custom error page. If you do not
know how to create a .jsp file, simply create a standard 500 error
page in html, and rename it to .jsp.
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------
Relevant Pages
... Macromedia Sitespring Cross Site Scripting ... You can visit the vendor webpage here: http://www.macromedia.com ... "We will continue to provide technical support for Sitespring ...
(Bugtraq)
... Macromedia Sitespring Cross Site Scripting ... You can visit the vendor webpage here: http://www.macromedia.com ... "We will continue to provide technical support for Sitespring ...
(Full-Disclosure)
... Macromedia Sitespring Cross Site Scripting ... You can visit the vendor webpage here: http://www.macromedia.com ... "We will continue to provide technical support for Sitespring ...
(Full-Disclosure)
... A malicious user with access to the Sitespring database engine port can ... This was reported to the vendor on 16 April 2002. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam)
