Bugtraq mailing list archives
Remotely Anywhere Message Injection Vulnerability
From: "Oliver Karow" <Oliver.Karow () gmx de>
Date: Thu, 11 Dec 2003 11:36:04 +0100 (MET)
Remotely Anywhere Message Injection Vulnerability ================================================= In addition to http://www.securityfocus.com/bid/9120 i found that it is possible to inject a message into the login page of Remotely Anywhere. Its not a XSS attack, because there is no directly executed script code, even if a msg-box pops up containing the injected message (have a look at http://www.oliverkarow.de/research/ra.jpg for a screenshot). Exploiting: =========== https://host:2000/default.html?logout=asdf&reason=Please%20set%20your%20password%20to%20ABC123%20after%20login Vulnerable: =========== This vuln. was tested on "Remotely Anywhere Enterprise Edition" Discovered by: ============== oliver.karow_gmx.de www.oliverkarow.de -- +++ GMX - die erste Adresse für Mail, Message, More +++ Neu: Preissenkung für MMS und FreeMMS! http://www.gmx.net
Current thread:
- Remotely Anywhere Message Injection Vulnerability Oliver Karow (Dec 11)