oss-sec mailing list archives

CVE request: resin: Cross site scripting

From: Agostino Sarubbo <ago () gentoo org>
Date: Tue, 11 Jun 2013 11:10:31 +0200

From the secunia advisory SA53749 [1]:

Description
Gjoko Krstic has discovered a vulnerability in Caucho Resin, which can
be exploited by malicious people to conduct cross-site scripting
attacks.

Input appended to the URL after /resin-admin/ is not properly sanitised
before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context
of an affected site.

The vulnerability is confirmed in version 4.0.36. Other versions may
also be affected.


Solution
No official solution is currently available.

Provided and/or discovered by
Gjoko Krstic (LiquidWorm)

Original Advisory
ZSL-2013-5143:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5143.php

[1]: https://secunia.com/advisories/53749/

The original advisory contains a poc.

Current thread:

CVE request: resin: Cross site scripting Agostino Sarubbo (Jun 11)
- Re: CVE request: resin: Cross site scripting Kurt Seifried (Jun 13)