Xedus Webserver test.x username Variable XSS

2004-08-30T00:00:00
ID OSVDB:9388
Type osvdb
Reporter James Bercegay()
Modified 2004-08-30T00:00:00

Description

Vulnerability Description

Xedus Webserver contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'username' variable upon submission to the 'test.x' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Xedus Webserver contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'username' variable upon submission to the 'test.x' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Manual Testing Notes

http://[victim]:4274/test.x?username=[XSS]

References:

Vendor URL: http://www.thinxoft.com Security Tracker: 1011092 Secunia Advisory ID:12418 Related OSVDB ID: 9389 Related OSVDB ID: 9390 Related OSVDB ID: 9387 Related OSVDB ID: 9391 Other Advisory URL: http://www.gulftech.org/?node=research&article_id=00047-08302004 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-08/0400.html ISS X-Force ID: 17166 CVE-2004-1645 Bugtraq ID: 11071