Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Orion Application Server Cross Site Scripting

🗓️ 10 Sep 2009 00:00:00Reported by Richard BrainType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 25 Views

Orion App Server XSS vulnerability, fixed after notified in 2009

Code
`R08-08: Several XSS on Orion Application server 2.0 to 2.0.8  
  
Vulnerability found: May 2008 Revalidated 23 July 2009  
  
Vendor informed: 27th July 09  
  
Vulnerability fixed:   
  
Severity: Medium  
  
Description:   
  
Various Orion application application server example pages are vulnerable to XSS. Orion application server is a java based web application server, http://www.orionserver.com/.  
  
  
Note: Orion application server was tested on Windows XP and JRE 1.6.0_14  
  
  
The following demonstrate XSS:  
  
1) http://10.0.2.177:8080/examples/jsp/sessions/carts.jsp?item=<body><script>alert(1)</script></body>&submit=add  
  
2) http://10.0.2.177:8080/examples/jsp/checkbox/checkresult.jsp?fruit=<script>alert(1)</script>  
  
3) http://10.0.2.177:8080/examples/jsp/cal/cal2.jsp?time=<script>alert(1)</script>  
Consequences:   
  
An attacker may be able to cause execution of malicious scripting code in the browser of a user who clicks on a link to a Orion Application server site. Such code would run within the security context of the target domain. This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e.: session IDs) to unauthorised third parties.  
  
  
  
Fix:  
  
Remove sample scripts from live environments.  
  
  
References:   
  
http://www.procheckup.com/Vulnerabilities.php  
  
  
  
Credits: Richard Brain of ProCheckUp Ltd (www.procheckup.com)  
  
  
Legal:  
  
Copyright 2009 Procheckup Ltd. All rights reserved.  
  
Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to Procheckup, and provided such reproduction and/or distribution is performed for non-commercial purposes.  
  
Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party.  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
10 Sep 2009 00:00Current
orion application servercross site scriptingxssjava basedvulnerabilitymedium severitywindows xpjre 1.6.0_14script removal
25