Home / exploitsPDF  

vtls-xss.txt

Posted on 13 November 2007

============================================= INTERNET SECURITY AUDITORS ALERT 2006-004 - Original release date: April 18, 2006 - Last revised: November 13, 2007 - Discovered by: Jesus Olmos Gonzalez - Severity: 1/5 ============================================= I. VULNERABILITY ------------------------- VTLS.web.gateway cgi is vulnerable to XSS II. BACKGROUND ------------------------- vtls.web.gateway cgi is a product from Visionary Technology in Library Solutions. VTLS Inc. is a leading global company that creates and provides visionary technology in library solutions. The company provide these solutions to a diverse customer base of more than 900 libraries in over 32 countries. III. DESCRIPTION ------------------------- VTLS is vulnerable to a cross site scripting attack, it is possible to execue html and javascript code in the browser of who cliks in a malicious crafted link. Here is a simple proof of concept that change html page as example. An attacker could intercept the keyboard, or make CSRF to submit a form of other page. IV. PROOF OF CONCEPT ------------------------- http://somevtlsweb.net/cgi-bin/vtls/vtls.web.gateway?authority=1&searchtype=subject%22%3E%3Ch1%3E%3Cmarquee%3EXSS%20bug%3C/marquee%3E%3C/h1%3E%3C!--&kind=ns&conf=080104+++++++ VI. SYSTEMS AFFECTED ------------------------- All with this solution up to 48.1.0 VII. SOLUTION ------------------------- Update to Version 48.1.1 VII. SOLUTION ------------------------- Update to Version 48.1.1 VIII. REFERENCES ------------------------- www.vtls.com IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com). X. REVISION HISTORY ------------------------- April 18, 2006: Initial release. November 13, 2007: Last revision. XI. DISCLOSURE TIMELINE ------------------------- February 27, 2006: The vulnerability discovered by Internet Security Auditors. April 18, 2006: Initial vendor notification sent. No response April 26, 2006: Second vendor notification sent. Ping pong responses. September 14, 2006: Third vendor notification sent. No response. December 01, 2006: Fourth vendor notification sent. No response. December 04, 2006: New patch coming. No schedule. January 02, 2007: Fifth vendor contact to ask for planning. No response. January 22, 2007: Sixth vendor contact to ask for planning. Scheduled. March 23, 2007: Seventh vendor contact to ask for planning. Re-Scheduled. May 22, 2007: Eigth vendor contact to ask for planning. Re-Scheduled. October 01, 2007: Nineth vendor contact to ask for planning. Patch will be published in October. November 09, 2007: Tenth. Version 48.1.1 has been approved for general release and published. November 13, 2007: Advisory Published. XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.

 

TOP