Full Disclosure mailing list archives
.: Sambar Server Cross-Site Scripting vulnerability :.
From: "galiarept [security-corp]" <galiarept () security-corp org>
Date: Sun, 19 Jan 2003 21:57:23 +0100
.: Sambar Server Cross-Site Scripting vulnerability :. ________________________________________________________________________ Security Corporation Security Advisory [SCSA-001] ________________________________________________________________________ PROGRAM: Sambar Server HOMEPAGE: http://www.sambar.com/ VULNERABLE VERSIONS: 5.3 and prior ________________________________________________________________________ DESCRIPTION ________________________________________________________________________ "Sambar Server is the new standard in high performance multi-functional servers with features rivaling other commercial products selling separately for several hundreds of dollars. It's Winsock2 compliant Win32 integration functions on Windows 95, Windows 98, Windows NT, Win2000, and XP as a service or as an application." (direct quote from http://sambar.jalyn.net) DETAILS ________________________________________________________________________ An exploitable bug was found on Sambar Server which cause javascript execution on client's computer by following a crafted url. This kind of attack known as "Cross-Site Scripting Vulnerability" is present in search section of the web site, anyone can input specially crafted links and/or other malicious scripts. EXPLOITS ________________________________________________________________________ http://localhost/search/results.stm?query=<script>alert('Test%20of%20vulnera bility');</script> SOLUTIONS ________________________________________________________________________ No solution for the moment. VENDOR STATUS ________________________________________________________________________ Sambar has been contacted. ------------------------------------------------------------------ Grégory Le Bras aka GaLiaRePt | http://www.Security-Corp.org ------------------------------------------------------------------ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- .: Sambar Server Cross-Site Scripting vulnerability :. galiarept [security-corp] (Jan 19)