Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

DeepMetrix LiveStats javascript injection

From: <security () satus com>
Date: 17 Jun 2002 23:05:11 -0000


Background:
DeepMetrix (formerly MediaHouse) LiveStats is server
software that provides an interactive web based summary
of website traffic based on HTTP server logs.

Details:
By crafting special user-agent or referer headers on
HTTP requests to a web site that is monitored by
LiveStats, arbitrary javascript can be executed in the
browser of a person viewing the LiveStats HTML reports.
LiveStats displays the browser-tag and referer strings
in its reports verbatim, including any script tags.
Script that discloses the URL of the LiveStats
interface could allow access that is normally protected
by a private ServerID.

Demonstration:
Browse http://www.deepmetrix.com/ with a user-agent of
XXX&lt;script&gt;alert("foo");&lt;/script&gt;
Then browse the Demo of LiveStats available on the
Deepmetrix web site at:
http://livestats.deepmetrix.com/stats?type=login&action=login&serverid=deepmetrix&username=guest
In the "Tabular - Who's On - XX Active Visitors" area
of the "Who's On" page, expand the IP address that
fetched. The next window will include the alert() popup.

Versions between 5.03 and 6.2.1 are affected. Vendor
was notified on 5/17/2002.

Daniel Bowers
Satus Technology LLC
security () satus com
Previous By Date Next
Previous By Thread Next

Current thread: