Websense Web Reporting Tools Logon Page username Field XSS

2007-12-10T00:00:00
ID OSVDB:39155
Type osvdb
Reporter Dave Lewis()
Modified 2007-12-10T00:00:00

Description

Vulnerability Description

Websense Web Reporting Tools contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'username' field upon submission in the logon page. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Websense has released a patch to address this issue.

References:

Vendor Specific News/Changelog Entry: http://www.websense.com/SupportPortal/SupportKbs/1840.aspx</a> Security Tracker: 1019066 Secunia Advisory ID:28019 Other Advisory URL: http://www.liquidmatrix.org/blog/2007/12/10/advisory-websense-xss-vulnerability/ ISS X-Force ID: 38936 FrSIRT Advisory: ADV-2007-4158 CVE-2007-6312 Bugtraq ID: 26793