vtls-xss.txt

`=============================================  
INTERNET SECURITY AUDITORS ALERT 2006-004  
- Original release date: April 18, 2006  
- Last revised: November 13, 2007  
- Discovered by: Jesus Olmos Gonzalez  
- Severity: 1/5  
=============================================  
  
I. VULNERABILITY  
-------------------------  
VTLS.web.gateway cgi is vulnerable to XSS  
  
II. BACKGROUND  
-------------------------  
vtls.web.gateway cgi is a product from Visionary Technology in Library  
Solutions.  
  
VTLS Inc. is a leading global company that creates and provides  
visionary technology in library solutions.  
  
The company provide these solutions to a diverse customer base of more  
than 900 libraries in over 32 countries.  
  
III. DESCRIPTION  
-------------------------  
VTLS is vulnerable to a cross site scripting attack, it is possible to  
execue html and javascript code in the browser of who cliks in a  
malicious crafted link.  
  
Here is a simple proof of concept that change html page as example. An  
attacker could intercept the keyboard, or make CSRF to submit a form  
of other page.  
  
IV. PROOF OF CONCEPT  
-------------------------  
http://somevtlsweb.net/cgi-bin/vtls/vtls.web.gateway?authority=1&searchtype=subject%22%3E%3Ch1%3E%3Cmarquee%3EXSS%20bug%3C/marquee%3E%3C/h1%3E%3C!--&kind=ns&conf=080104+++++++  
  
VI. SYSTEMS AFFECTED  
-------------------------  
All with this solution up to 48.1.0  
  
VII. SOLUTION  
-------------------------  
Update to Version 48.1.1  
  
VII. SOLUTION  
-------------------------  
Update to Version 48.1.1  
  
VIII. REFERENCES  
-------------------------  
www.vtls.com  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered and reported by  
Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).  
  
X. REVISION HISTORY  
-------------------------  
April 18, 2006: Initial release.  
November 13, 2007: Last revision.  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
February 27, 2006: The vulnerability discovered by  
Internet Security Auditors.  
April 18, 2006: Initial vendor notification sent.  
No response  
April 26, 2006: Second vendor notification sent.  
Ping pong responses.  
September 14, 2006: Third vendor notification sent.  
No response.  
December 01, 2006: Fourth vendor notification sent.  
No response.  
December 04, 2006: New patch coming.  
No schedule.  
January 02, 2007: Fifth vendor contact to ask for planning.  
No response.  
January 22, 2007: Sixth vendor contact to ask for planning.  
Scheduled.  
March 23, 2007: Seventh vendor contact to ask for planning.  
Re-Scheduled.  
May 22, 2007: Eigth vendor contact to ask for planning.  
Re-Scheduled.  
October 01, 2007: Nineth vendor contact to ask for planning.  
Patch will be published in October.  
November 09, 2007: Tenth. Version 48.1.1 has been approved for  
general release and published.  
November 13, 2007: Advisory Published.  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is"  
with no warranties or guarantees of fitness of use or otherwise.  
Internet Security Auditors, S.L. accepts no responsibility for any  
damage caused by the use or misuse of this information.  
`