Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormMazin FaourPACKETSTORM:70659
HistoryOct 07, 2008 - 12:00 a.m.

verisign-xss.txt

2008-10-0700:00:00
Mazin Faour
packetstormsecurity.com
24

EPSS

0.004

Percentile

72.2%

JSON
`VeriSign Kontiki Delivery Management System (DMS) Cross-Site Scripting  
Vulnerability   
  
(CVE Number: CVE-2008-4393)   
  
  
  
Vulnerability Type / Importance: XSS / Medium   
  
  
  
Problem discovered: September 24th 2007   
  
Vendor contacted: September 26th 2007   
  
Advisory published: March 28th 2008   
  
  
  
Abstract   
  
The Kontiki Delivery Management System (DMS) is "a low-cost enterprise  
content delivery system that helps large companies rapidly deliver  
compelling, rich media communications to employees, customers, and  
partners."   
  
Kontiki DMS is vulnerable to a cross-site scripting attack based on the  
manipulation of URL parameters of a site running this service.   
  
  
  
Description  
  
During a recent penetration test, a cross-site scripting vulnerability  
was discovered in a Kontiki DMS servlet. The vulnerability can be tested  
by entering JavaScript in the URL as shown in the example below:   
  
  
  
http://server/zodiac/servlet/zodiac?action=%3Cscript%3Ealert(document.co  
okie)%3C/script%3E  
  
  
  
The server would process the code and execute the JavaScript on the  
user's browser.   
  
Verisign was contacted and immediately confirmed that this was indeed a  
security issue and set about producing a patch to include in the next  
update for the product.   
  
  
  
Affected Versions   
  
Kontiki DMS Version <= 5.0   
  
  
  
Operating Systems Tested   
  
Microsoft Windows   
  
  
  
Vendor & Patch Information   
  
Verisign has released a patch to resolve this issue, which can be  
downloaded from https://customersupport.kontiki.com/software/patch-20102  
  
  
  
Workarounds   
  
IRM is not aware of any workarounds for this issue.   
  
  
  
Credits   
  
Research & Advisory: Mazin Faour   
  
  
  
Disclaimer   
  
All information in this advisory is provided on an 'as is' basis in the  
hope that it will be useful. Information Risk Management Plc is not  
responsible for any risks or occurrences caused by the application of  
this information.  
  
  
  
http://www.irmplc.com/researchlab  
  
`

Related

exploitdb 1
nvd 1
prion 1
kaspersky 1
cve 1
cvelist 1
exploitdb
exploitdb
VeriSign Kontiki Delivery Management System 5.0 - &#039;action&#039; Cross-Site Scripting
2008-10-05 00:00:00
nvd
nvd
CVE-2008-4393
2008-10-07 20:00:17
prion
prion
Cross site scripting
2008-10-07 20:00:00
kaspersky
kaspersky
KLA10240 CI vulnerability in Kontiki DMS
2008-10-07 00:00:00
cve
cve
CVE-2008-4393
2008-10-07 20:00:17
cvelist
cvelist
CVE-2008-4393
2008-10-07 18:27:00

EPSS

0.004

Percentile

72.2%

JSON
Related for PACKETSTORM:70659
exploitdb1nvd1prion1kaspersky1cve1cvelist1