Application: SnapStream PVS Vendor : http://www.snapstream.com Versions: LITE Platforms: Windows/Unix Bug: Cross Site Scripting Vulnerabillity Risk: Low Exploitation: Remote with browser Date: 6 Jan 2004 Author: Rafel Ivgi, The-Insider e-mail: email@example.com web: http://theinsider.deep-ice.com
1) Introduction 2) Bug 3) The Code
=============== 1) Introduction ===============
SnapStream PVS is a Personal Video Station software. It allows the user to remotely schedule recordings and playing of Tv shows using video tapes and cable TV.
====== 2) Bug ======
When the webserver hosting SnapStream PVS LITE recieves a 'GET /?<script>alert('XSS')</script>' its ignores it, the data gets filtered as it should. But when it recieves a 'GET /?"><script>alert('XSS')</script>' the filters are bypassed and XSS appears and the server allows an attacker to inject & execute scripts.
=========== 3) The Code ===========
Rafel Ivgi, The-Insider http://theinsider.deep-ice.com
"Things that are unlikeable, are NOT impossible."