SnapStream PVS LITE Cross Site Scripting Vulnerabillity

2004-01-09T00:00:00
ID SECURITYVULNS:DOC:5608
Type securityvulns
Reporter Securityvulns
Modified 2004-01-09T00:00:00

Description

Application: SnapStream PVS Vendor : http://www.snapstream.com Versions: LITE Platforms: Windows/Unix Bug: Cross Site Scripting Vulnerabillity Risk: Low Exploitation: Remote with browser Date: 6 Jan 2004 Author: Rafel Ivgi, The-Insider e-mail: the_insider@mail.com web: http://theinsider.deep-ice.com

1) Introduction 2) Bug 3) The Code

=============== 1) Introduction ===============

SnapStream PVS is a Personal Video Station software. It allows the user to remotely schedule recordings and playing of Tv shows using video tapes and cable TV.

====== 2) Bug ======

When the webserver hosting SnapStream PVS LITE recieves a 'GET /?<script>alert('XSS')</script>' its ignores it, the data gets filtered as it should. But when it recieves a 'GET /?"><script>alert('XSS')</script>' the filters are bypassed and XSS appears and the server allows an attacker to inject & execute scripts.

=========== 3) The Code ===========

http://<host>/?"><script>alert('XSS')</script>


Rafel Ivgi, The-Insider http://theinsider.deep-ice.com

"Things that are unlikeable, are NOT impossible."