SnapStream PVS LITE Cross Site Scripting Vulnerabillity

Type securityvulns
Reporter Securityvulns
Modified 2004-01-09T00:00:00


Application: SnapStream PVS Vendor : Versions: LITE Platforms: Windows/Unix Bug: Cross Site Scripting Vulnerabillity Risk: Low Exploitation: Remote with browser Date: 6 Jan 2004 Author: Rafel Ivgi, The-Insider e-mail: web:

1) Introduction 2) Bug 3) The Code

=============== 1) Introduction ===============

SnapStream PVS is a Personal Video Station software. It allows the user to remotely schedule recordings and playing of Tv shows using video tapes and cable TV.

====== 2) Bug ======

When the webserver hosting SnapStream PVS LITE recieves a 'GET /?<script>alert('XSS')</script>' its ignores it, the data gets filtered as it should. But when it recieves a 'GET /?"><script>alert('XSS')</script>' the filters are bypassed and XSS appears and the server allows an attacker to inject & execute scripts.

=========== 3) The Code ===========


Rafel Ivgi, The-Insider

"Things that are unlikeable, are NOT impossible."