[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

InSite Troubleshooting Cross-Site Scripting

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: InSite Troubleshooting Cross-Site Scripting
From: vulns@xxxxxxxxxxx
Date: 7 Mar 2011 09:01:02 -0000

Class   Input Validation Error
CVE     
Remote  Yes
Local   No
Published       Feb 14 2011 08:55AM
        
Credit  Dionach
Vulnerable      Kodak InSite 5.5.2

Kodak InSite is prone to a cross-site scripting vulnerability because it fails 
to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the 
browser of an unsuspecting user in the context of the affected site. This may 
allow the attacker to steal cookie-based authentication credentials and to 
launch other attacks.

Kodak InSite 5.5.2 is known to be vulnerable. Other versions may also be 
vulnerable.

To exploit this issue, an attacker must entice an unsuspecting victim into 
following a malicious URI, such as the following:

http://SITE/Troubleshooting/DiagnosticReport.asp?HeaderWarning=<script>alert("XSS!")</script>&Language=en&rflp=true#

POST http://SITE/troubleshooting/speedtest.asp
User-Agent= Test";} alert("XSS!"); function a() {//

Kodak report that this issue does not affect the latest version of InSite, 
available for free with an ongoing support contract.

Prev by Date: Kodak InSite Login Page Cross-Site Scripting
Next by Date: [USN-1085-1] tiff vulnerabilities
Previous by thread: Kodak InSite Login Page Cross-Site Scripting
Next by thread: [USN-1085-1] tiff vulnerabilities
Index(es):
- Date
- Thread