ID OSVDB:18064 Type osvdb Reporter Francisco Amato(famato@infobyte.com.ar) Modified 2005-07-15T04:27:31
Description
Vulnerability Description
Novell GroupWise WebAccess contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate e-mail message upon submission to the dynamically generated web content. This could allow a user to send a specially crafted e-mail that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Solution Description
Upgrade to version 6.5 (dated after 11/7/2005) or 6.5 SP5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
Short Description
Novell GroupWise WebAccess contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate e-mail message upon submission to the dynamically generated web content. This could allow a user to send a specially crafted e-mail that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Manual Testing Notes
Send a e-mail with the following html code:
<IMG SRC="jAvascript:alert(document.cookie)">
References:
Vendor Specific Advisory URL
Security Tracker: 1014515
Secunia Advisory ID:16098
Other Advisory URL: http://www.infobyte.com.ar/adv/ISR-11.html
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-07/0322.html
Keyword: TID10098301
ISS X-Force ID: 21421
CVE-2005-2276
Bugtraq ID: 14310
{"type": "osvdb", "published": "2005-07-15T04:27:31", "href": "https://vulners.com/osvdb/OSVDB:18064", "hashmap": [{"key": "affectedSoftware", "hash": "c66a4b67f24bf34fd1337a087fc04bc9"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "5d5ad23362b294f7546cf61b18b9b08e"}, {"key": "cvss", "hash": "6e9bdd2021503689a2ad9254c9cdf2b3"}, {"key": "description", "hash": "59dfd8208b9275528c83f275c336ee4f"}, {"key": "href", "hash": "62a4a05d404817c483131159df6c4890"}, {"key": "modified", "hash": "86c21aed0a865031dbf1b272f248c473"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "86c21aed0a865031dbf1b272f248c473"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "ab6f3ad0e51e281b61ac53337275a4b8"}, {"key": "title", "hash": "0845795643a5def55bcd358ae0e6ffd9"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}], "bulletinFamily": "software", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/", "score": 4.3}, "viewCount": 1, "history": [], "edition": 1, "objectVersion": "1.2", "reporter": "Francisco Amato(famato@infobyte.com.ar)", "title": "Novell GroupWise WebAccess E-Mail IMG SRC XSS", "affectedSoftware": [{"operator": "eq", "version": "6.5 SP4", "name": "Novell Groupwise"}], "enchantments": {"score": {"value": 5.7, "vector": "NONE", "modified": "2017-04-28T13:20:14"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-2276"]}, {"type": "exploitdb", "idList": ["EDB-ID:26001"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:9230"]}, {"type": "nessus", "idList": ["GROUPWISE_WEBACCESS_XSS.NASL", "TORTURE_CGI_CROSS_SITE_SCRIPTING2.NASL"]}], "modified": "2017-04-28T13:20:14"}, "vulnersScore": 5.7}, "references": [], "id": "OSVDB:18064", "hash": "58b6e5ec277b2bcf7136ac538b448165c3d0aa9b9fb2ce88c588353038c891c1", "lastseen": "2017-04-28T13:20:14", "cvelist": ["CVE-2005-2276"], "modified": "2005-07-15T04:27:31", "description": "## Vulnerability Description\nNovell GroupWise WebAccess contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate e-mail message upon submission to the dynamically generated web content. This could allow a user to send a specially crafted e-mail that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nUpgrade to version 6.5 (dated after 11/7/2005) or 6.5 SP5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nNovell GroupWise WebAccess contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate e-mail message upon submission to the dynamically generated web content. This could allow a user to send a specially crafted e-mail that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Manual Testing Notes\nSend a e-mail with the following html code:\n<IMG SRC=\"jAvascript:alert(document.cookie)\">\n## References:\n[Vendor Specific Advisory URL](http://support.novell.com/cgi-bin/search/searchtid.cgi?/10098301.htm)\nSecurity Tracker: 1014515\n[Secunia Advisory ID:16098](https://secuniaresearch.flexerasoftware.com/advisories/16098/)\nOther Advisory URL: http://www.infobyte.com.ar/adv/ISR-11.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-07/0322.html\nKeyword: TID10098301\nISS X-Force ID: 21421\n[CVE-2005-2276](https://vulners.com/cve/CVE-2005-2276)\nBugtraq ID: 14310\n"}
{"cve": [{"lastseen": "2019-05-29T18:08:14", "bulletinFamily": "NVD", "description": "Cross-site scripting (XSS) vulnerability in Novell Groupwise WebAccess 6.5 before July 11, 2005 allows remote attackers to inject arbitrary web script or HTML via an e-mail message with an encoded javascript URI (e.g. \"jAvascript\" in an IMG tag.", "modified": "2017-07-11T01:32:00", "id": "CVE-2005-2276", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2276", "published": "2005-07-26T04:00:00", "title": "CVE-2005-2276", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:13", "bulletinFamily": "software", "description": "||\r\n|| [ISR]\r\n|| Infobyte Security Research\r\n|| www.infobyte.com.ar\r\n|| 07.19.2005\r\n|| \r\n\r\n\r\n.:: SUMMARY \r\n\r\nNovell Groupwise WebAccess Cross-Site Scripting \r\n\r\nVersion: GroupWise 6.5 SP4, It is suspected that all previous versions of \r\nGroupwise WebAccess\r\nare vulnerable. \r\n\r\n.:: BACKGROUND \r\n\r\nGroupWise WebAccess is Novell's premier Intranet/Internet GroupWare solution \r\nfor the Web. \r\n\r\nMore info: http://www.novell.com \r\n\r\n.:: DESCRIPTION \r\n\r\nRemote explotation of Cross-Site Scripting due to failure of the application \r\nto properly\r\nsanitize user-supplied input prior to including it in dynamically generated \r\nWeb content. \r\n\r\nTo reproduce this, send a e-mail with the following html code: \r\n\r\n<IMG SRC="j&#X41vascript:alert(document.cookie)"> \r\n\r\nIt show a simple code of example to execute script in the browser of an \r\nunsuspecting user.\r\nThis issue may allow for the theft of authentication credentials. \r\n\r\n.:: VENDOR RESPONSE \r\n\r\nVendor advisory:\r\n http://support.novell.com/cgi-bin/search/searchtid.cgi?/10098301.htm \r\n\r\nVendor patch:\r\n http://support.novell.com/filefinder/16963/beta.html\r\n The filename is fwa655d.exe\r\n\r\n.:: CVE INFORMATION \r\n\r\nId: CAN-2005-2276\r\nWeb: http://cve.mitre.org\r\n\r\n.:: DISCLOSURE TIMELINE \r\n\r\n06/14/2005 Initial vendor notification\r\n06/14/2005 Initial vendor response\r\n07/19/2005 Coordinated public disclosure \r\n\r\n.:: CREDIT \r\n\r\nFrancisco Amato is credited with discovering this vulnerability.\r\nfamato][at][infobyte][dot][com][dot][ar \r\n\r\n.:: LEGAL NOTICES \r\n\r\nCopyright (c) 2005 by [ISR] Infobyte Security Research.\r\nPermission to redistribute this alert electronically is granted as long as \r\nit is not\r\nedited in any way unless authorized by Infobyte Security Research Response.\r\nReprinting the whole or part of this alert in any medium other than \r\nelectronically\r\nrequires permission from infobyte com ar \r\n\r\nDisclaimer\r\nThe information in the advisory is believed to be accurate at the time of \r\npublishing\r\nbased on currently available information. Use of the information constitutes \r\nacceptance\r\nfor use in an AS IS condition. There are no warranties with regard to this \r\ninformation.\r\nNeither the author nor the publisher accepts any liability for any direct, \r\nindirect, or\r\nconsequential loss or damage arising from use of, or reliance on, this \r\ninformation. \r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\r\nHosted and sponsored by Secunia - http://secunia.com/", "modified": "2005-07-19T00:00:00", "published": "2005-07-19T00:00:00", "id": "SECURITYVULNS:DOC:9230", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:9230", "title": "[Full-disclosure] [ISR] - Novell Groupwise WebAccess Cross-Site Scripting", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "nessus": [{"lastseen": "2019-11-01T02:46:56", "bulletinFamily": "scanner", "description": "The remote host is running a version of GroupWise WebAccess from\nNovell that fails to sanitize email messages of HTML and script code\nembedded in IMG tags. An attacker can exploit this flaw to launch\ncross-site scripting attacks against users of WebAccess by sending\nthem specially crafted email messages.", "modified": "2019-11-02T00:00:00", "id": "GROUPWISE_WEBACCESS_XSS.NASL", "href": "https://www.tenable.com/plugins/nessus/19228", "published": "2005-07-20T00:00:00", "title": "Novell GroupWise WebAccess Email IMG SRC XSS", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(19228);\n script_version(\"1.23\");\n script_cvs_date(\"Date: 2018/11/15 20:50:19\");\n\n script_cve_id(\"CVE-2005-2276\");\n script_bugtraq_id(14310);\n\n script_name(english:\"Novell GroupWise WebAccess Email IMG SRC XSS\");\n script_summary(english:\"Checks for cross-site scripting vulnerability in GroupWise WebAccess\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a script that is affected by a cross-\nsite scripting issue.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of GroupWise WebAccess from\nNovell that fails to sanitize email messages of HTML and script code\nembedded in IMG tags. An attacker can exploit this flaw to launch\ncross-site scripting attacks against users of WebAccess by sending\nthem specially crafted email messages.\");\n # https://web.archive.org/web/20060207021932/http://www.infobyte.com.ar/adv/ISR-11.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b5e9b54a\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2005/Jul/320\");\n script_set_attribute(attribute:\"see_also\", value:\"http://support.novell.com/cgi-bin/search/searchtid.cgi?/10098301.htm\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to GroupWise 6.5 SP5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/07/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/20\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:novell:groupwise_webaccess\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"http_version.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:80);\n\n# The aboutpqa.htm associated with the Palm app often has more detailed info\n# but isn't necessarily upgraded so check only if Report Paranoia is\n# set to Paranoid.\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nw = http_send_recv3(method:\"GET\", item:\"/com/novell/webaccess/palm/en/aboutpqa.htm\", port:port);\nif (isnull(w)) exit(1, \"the web server did not answer\");\nres = w[2];\n# nb: looks like:\n# <BR>Program Release:\n# <BR>6.5.4\nif (\"<BR>Program Release:\" >< res) {\n res = strstr(res, \"Program Release:\");\n pat = \"^<BR>([0-9].+)$\";\n if (egrep(string:res, pattern:pat, icase:TRUE)) {\n matches = egrep(pattern:pat, string:res, icase:TRUE);\n foreach match (split(matches)) {\n match = chomp(match);\n ver = eregmatch(pattern:pat, string:match);\n if (!isnull(ver)) {\n ver = ver[1];\n break;\n }\n }\n }\n}\n\n# If that failed, try to get it from WebAccess' main page.\nif (isnull(ver)) {\n w = http_send_recv3(method:\"GET\", item:\"/servlet/webacc\", port:port);\n if (isnull(w)) exit(1, \"the web server did not answer\");\n res = w[2];\n\n # Look for the version number in the banner.\n pat = \"^<BR>Version ([0-9].+)\";\n if (egrep(string:res, pattern:pat, icase:TRUE)) {\n matches = egrep(pattern:pat, string:res, icase:TRUE);\n foreach match (split(matches)) {\n match = chomp(match);\n ver = eregmatch(pattern:pat, string:match);\n if (!isnull(ver)) {\n ver = ver[1];\n # nb: 6.5 by itself doesn't give us enough details.\n if (ver =~ \"^6\\.5$\") {\n ver = NULL;\n }\n break;\n }\n }\n }\n}\n\n# Versions 6.5.4 and below are affected.\nif (ver && ver =~ \"^([0-5]\\.|6\\.([0-4]|5\\.[0-4]))\") {\n security_warning(port);\n set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-11-03T12:30:19", "bulletinFamily": "scanner", "description": "The remote web server hosts CGI scripts that fail to adequately\nsanitize request strings of malicious JavaScript. By leveraging this\nissue, an attacker may be able to cause arbitrary HTML and script code\nto be executed in a user", "modified": "2019-11-02T00:00:00", "id": "TORTURE_CGI_CROSS_SITE_SCRIPTING2.NASL", "href": "https://www.tenable.com/plugins/nessus/47831", "published": "2010-07-26T00:00:00", "title": "CGI Generic XSS (comprehensive test)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(47831);\n script_version (\"1.27\");\n script_cvs_date(\"Date: 2018/11/15 20:50:20\");\n\n\n script_name(english: \"CGI Generic XSS (comprehensive test)\");\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is prone to cross-site scripting attacks.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote web server hosts CGI scripts that fail to adequately\nsanitize request strings of malicious JavaScript. By leveraging this\nissue, an attacker may be able to cause arbitrary HTML and script code\nto be executed in a user's browser within the security context of the\naffected site. These XSS are likely to be 'non-persistent' or\n'reflected'.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://en.wikipedia.org/wiki/Cross_site_scripting#Non-persistent\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ea9a0369\");\n script_set_attribute(attribute:\"see_also\", value:\"http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting\");\n script_set_attribute(attribute:\"solution\", value:\n\"Restrict access to the vulnerable application. Contact the vendor\nfor a patch or upgrade.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_cwe_id(\n 20, # Improper Input Validation\n 74, # Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection'\n 79, # Cross-Site Scripting\n 80, # Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS\n 81, # Improper Neutralization of Script in an Error Message Web Page\n 83, # Improper Neutralization of Script in Attributes in a Web Page\n 84, # Improper Neutralization of Encoded URI Schemes in a Web Page\n 85, # Doubled Character XSS Manipulations\n 86, # Improper Neutralization of Invalid Characters in Identifiers in Web Pages\n 87, # Improper Neutralization of Alternate XSS Syntax\n 116, # Improper Encoding or Escaping of Output\n 442, # Web problems\n 692, # Incomplete Blacklist to Cross-Site Scripting\n 712, # OWASP Top Ten 2007 Category A1 - Cross Site Scripting XSS\n 722, # OWASP Top Ten 2004 Category A1 - Unvalidated Input\n 725, # OWASP Top Ten 2004 Category A4 - Cross-Site Scripting XSS Flaws\n 751, # 2009 Top 25 - Insecure Interaction Between Components\n 801, # 2010 Top 25 - Insecure Interaction Between Components\n 811, # OWASP Top Ten 2010 Category A2 - Cross-Site Scripting XSS\n 928, # Weaknesses in OWASP Top Ten 2013\n 931 # OWASP Top Ten 2013 Category A3 - Cross-Site Scripting XSS\n );\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/07/26\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_summary(english: \"Tortures the arguments of the remote CGIs (XSS)\");\n script_category(ACT_ATTACK);\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n script_family(english: \"CGI abuses : XSS\");\n script_dependencie(\"http_version.nasl\", \"webmirror.nasl\", \"cross_site_scripting.nasl\", \"web_app_test_settings.nasl\", \"torture_cgi_load_estimation1.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_timeout(43200);\t# Timeout is managed by the script itself\n script_require_keys(\"Settings/enable_web_app_tests\");\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"torture_cgi.inc\");\n\n\nfunction torture_cgi_response_post_check(resp) { return 0; } # stub\n\n####\n\ni = 0; \nflaws_and_patterns = make_array(\n# \"<script > alert(201); </script >\", \"RE:<script *> *alert\\(201\\); *</script *>\",\n '\"><script > alert(201); </script >', 'RE:[^\\\\\\\\]\"><script *> *alert\\\\(201\\\\); *</script *>',\n## \"<IMG SRC=a onerror=alert(String.fromCharCode(88,83,83))>\", ...,\n\n# UTF-7 encoded\n \"+ADw-script+AD4-alert(202)+ADw-/script+AD4-\", \"RE:<script>alert\\(202\\)</script>|.<.s.c.r.i.p.t.>.a.l.e.r.t.\\(.2.0.2.\\).<./.s.c.r.i.p.t.>\",\n# UTF-16 encoded (works with IE) \n \"%FF%FE%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%32%30%33%29%3C%2F%73%63%72%69%70%74%3E\", \n \"RE:<script>alert\\(203\\)</script>|.<.s.c.r.i.p.t.>.a.l.e.r.t.\\(.2.0.3.\\).<./.s.c.r.i.p.t.>\",\n\n '%22%3E%3Cimg%20src=1%20onerror=javascript:alert%28205%29%3E',\n 'ST:\"><img src=1 onerror=javascript:alert(505)>',\n '<<<<<<<<<<foo\"bar\\'204>>>>>',\t'ST:<<foo\"bar\\'204>>'\n);\n\n# Interesting patterns:\n# \"><ScRiPt>alert(42)</ScRiPt>\n# \" onerror=\"alert(42)\n\nif (!get_kb_item(\"Settings/PCI_DSS\") && report_paranoia > 1)\n{\n flaws_and_patterns[\"< script > alert(204); </ script >\"] = \"RE:< *script *> *alert\\(204\\); *</ *script *>\";\n # If the charset is not specified (and different from UTF-7), then this should work too\n flaws_and_patterns[\"+ADw-script+AD4-alert(205)+ADw-/script+AD4-\"] = \n \"RE:\\+ADw-script\\+AD4-alert(205)\\+ADw-/script\\+AD4-|<script>alert\\(205\\)</script>|.<.s.c.r.i.p.t.>.a.l.e.r.t.\\(.2.0.5.\\).<./.s.c.r.i.p.t.>\";\n # Netscape 4 only - CVE-2002-0738\n flaws_and_patterns[\"<b foo=&{alert(206)};>\"] =\n \"ST:<b foo=&{alert(206)};>\";\n flaws_and_patterns['>>>>>>>>>>foo\"bar\\'207<<<<<'] =\n 'ST:>>foo\"bar\\'207<<';\n}\n\nif (thorough_tests)\n{\n # Base64 encoding\n flaws_and_patterns[\"PHNjcmlwdD5hbGVydCg5OSk7PC9zY3JpcHQ+\"] = \n \"ST:'<script>alert(99);</script>\";\n # Broken Base64 encoding - may circumvent mod_security\n # http://blog.modsecurity.org/2010/04/impedance-mismatch-and-base64.html\n flaws_and_patterns[\"P.HNjcmlwdD5hbGVydCg5OCk7PC9zY3JpcHQ+\"] = \n \"ST:'<script>alert(98);</script>\";\n\n flaws_and_patterns[\"%u00ABscript%u00BBalert(209);%u00AB/script%u00BB\"] = \n \"RE:<script *> *alert\\(209\\); *</script *>\";\n flaws_and_patterns[\"〈script〉alert(210);〈/script〉\"] =\n \"RE:<script *> *alert(210); *</script *>\";\n flaws_and_patterns[\"U%2bFF1CscriptU%2bFF1Ealert(211);/U%2bFF1CscriptU%2bFF1E\"] =\n \"RE:<script *> *alert(211); *</script *>\";\n flaws_and_patterns[\"‹script›alert(212);‹/script›\"] =\n \"RE:<script *> *alert(212); *</script *>\";\n flaws_and_patterns[\"〈script𣊪lert(213);〈/script〉\"] =\n \"RE:<script *> *alert(213); *</script *>\";\n flaws_and_patterns[\"⟨script⟩alert(214);⟨/script⟩\"] =\n \"RE:<script *> *alert(214); *</script *>\";\n\n flaws_and_patterns[\"+ADwAcwBjAHIAaQBwAHQAPgBhAGwAZQByAHQAKAA0ADIAKQA7ADwALwBzAGMAcgBpAHAAdAA+-\"] =\n \"RE:<script>alert\\(42\\);</script>|.<.s.c.r.i.p.t.>.a.l.e.r.t.\\(.4.2.\\).;.<./.s.c.r.i.p.t.>\";\n flaws_and_patterns[\"%3Cscript%3Ealert(216)%3B%3C%2Fscript%3E\"] = \n \"ST:<script>alert(216);</script>\";\n # CVE-2002-0738\n flaws_and_patterns[\"><scr<script>ipt>alert(217)</scr</script>ipt>\"] = \n \"ST:><script>alert(217)</script>\";\n # CVE-2005-2276, CVE-2005-0563...\n flaws_and_patterns[\"javascript:alert(218)\"] = \n 'ST:javascript:alert(218)';\n # BID 10724\n flaws_and_patterns['<%00script>alert(219);</script%00>'] =\n 'ST:script>alert(219);</script';\n}\n\nport = torture_cgi_init(vul:'X2');\n\n\nif (get_kb_item(strcat(\"www/\", port, \"/generic_xss\")))\n exit(0, 'The web server is vulnerable to generic cross-site scripting');\n# if (stop_at_first_flaw == \"port\" && ! thorough_tests && get_kb_item(strcat(\"www/\", port, \"/XSS\"))) exit(0);\n\nif (report_paranoia < 2)\n ct = \"text/(xml|html)\";\nelse\n ct = NULL;\nreport = torture_cgis(port: port, vul: \"X2\", only_content: ct, follow_redirect: 2);\n\nif (strlen(report) > 0)\n{\n security_warning(port:port, extra: report);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-03T02:37:49", "bulletinFamily": "exploit", "description": "Novell GroupWise 6.5 WebAccess HTML Injection Vulnerability. CVE-2005-2276 . Webapps exploit for java platform", "modified": "2005-07-15T00:00:00", "published": "2005-07-15T00:00:00", "id": "EDB-ID:26001", "href": "https://www.exploit-db.com/exploits/26001/", "type": "exploitdb", "title": "Novell GroupWise 6.5 WebAccess HTML Injection Vulnerability", "sourceData": "source: http://www.securityfocus.com/bid/14310/info\r\n\r\nNovell GroupWise WebAccess is prone to an HTML injection vulnerability. This may be used to inject hostile HTML and script code into the Web mail application. When a user opens an email containing the hostile code, it may be rendered in their browser.\r\n\r\nSuccessful exploitation could potentially allow theft of cookie-based authentication. Other attacks are also possible. \r\n\r\n<IMG SRC=\"jAvascript:alert(document.cookie)\"> ", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/26001/"}]}