VisNetic WebSite XSS vulnerability through HTTP referer header

[Ory Segal <ory.segal () sanctuminc com>]

Visnetic WebSite XSS vulnerability through HTTP Referer header
---------------------------------------------------------------------------------------------

=> Author: Ory Segal - Sanctum inc. http://www.sanctuminc.com/

=> Release date: 09/12/2002

=> Vendor: Deerfield ( http://www.deerfield.com )

The following products were found to be vulnerable:

VisNetic WebSite 3.5.13.1

=> Severity: High

=> Impact: Loss of privacy - user cookies associated with the target 
site may
be stolen in some cases.

=> CVE candidate: Not assigned yet.

=> Summary: A Cross Site Scripting vulnerability exists when requesting a
non-existent web page from VisNetic WebSite pro and injecting a malicious
script in the HTTP 'Referer' header.

=> Description: VisNetic WebSite server, will return a customized 404 
page when
a requested page does not exist. This customized 404 page contains a 
link to the
last visited web page, and by clicking on the link the user is 
redirected back to where
he/she came from. This link, is created by using the data in the HTTP 
'Referer' header,
which is sent automatically by the web browser. By requesting a 
non-existent page, and
changing the HTTP 'Referer' header to contain malicious Javascript code, 
an attacker may
force the application to return the JavaScript code to the web browser, 
where it will
be executed.

=> Example Exploit: The following request will return a JavaScript 
pop-up screen:

GET /NonExistentPage.html HTTP/1.0
Host: TARGET
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Referer: "></a><script>alert('Cross Site Scripting')</script>

=> Fix: The new version of VisNetic WebSite (3.5.15) solves this 
problem. You can download it from:
http://www.deerfield.com/products/visnetic_website/

=> Note: This XSS vulnerability (and many others) can be tested with 
Sanctum's
web application security scanner, AppScan.

///////////////////////////////////////////////////////////////////////
========================>> Security Advisory <<========================
///////////////////////////////////////////////////////////////////////


-------------------------------------------------------------------- 
Visnetic WebSite XSS vulnerability through HTTP Referer header
--------------------------------------------------------------------

=> Author: Ory Segal - Sanctum inc. http://www.sanctuminc.com/

=> Release date: 09/12/2002

=> Vendor: Deerfield ( http://www.deerfield.com )

The following products were found to be vulnerable:

VisNetic WebSite 3.5.13.1 
 
=> Severity: High

=> Impact: Loss of privacy - user cookies associated with the target site may
be stolen in some cases.

=> CVE candidate: Not assigned yet.

=> Summary: A Cross Site Scripting vulnerability exists when requesting a 
non-existent web page from VisNetic WebSite pro and injecting a malicious
script in the HTTP 'Referer' header.

=> Description: VisNetic WebSite server, will return a customized 404 page when 
a requested page does not exist. This customized 404 page contains a link to the
last visited web page, and by clicking on the link the user is redirected back to where
he/she came from. This link, is created by using the data in the HTTP 'Referer' header,
which is sent automatically by the web browser. By requesting a non-existent page, and 
changing the HTTP 'Referer' header to contain malicious Javascript code, an attacker may
force the application to return the JavaScript code to the web browser, where it will
be executed.

=> Example Exploit: The following request will return a JavaScript pop-up screen:

GET /NonExistentPage.html HTTP/1.0
Host: TARGET
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Referer: "></a><script>alert('Cross Site Scripting')</script>

=> Fix: The new version of VisNetic WebSite (3.5.15) solves this problem. You can download
it from: http://www.deerfield.com/products/visnetic_website/

=> Note: This XSS vulnerability (and many others) can be tested with Sanctum's
web application security scanner, AppScan.