Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Zeus Admin Server v4.1r2 index.fcgi XSS bug

From: "euronymous" <just-a-user () yandex ru>
Date: Fri, 8 Nov 2002 22:39:24 +0300 (MSK)
=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
topic: Zeus Admin Server v4.1r2 index.fcgi XSS bug
product: Zeus Admin Server v4.1r2 for linux/x86
vendor: http://www.zeus.co.uk
risk: very low (authorisation required)
date: 11/8/2k2
discovered by: euronymous /F0KP /HACKRU Team
advisory urls: http://f0kp.iplus.ru/bz/007.txt 
               http://xakep.host.sk/bz/007.txt 
=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
              
description
-----------
in default Zeus installation, you can to access
management interface via http://hostname:9090. 

[you have to enter correct login/password here]

there is some general script, that contain xss bug. 
btw, default management login is `admin'..

sample attack
-------------
http://hostname:9090/apps/web/index.fcgi?servers=
&section=<script>alert(document.cookie)</script>

[it must be in a single string]

shouts: HACKRU Team, DHG, Spoofed Packet, all russian security guyz 
fuck_off: slavomira and other dirty ppl in *.kz

================
im not a lame,
not yet a hacker
================
Previous By Date Next
Previous By Thread Next

Current thread: