Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » VisNetic WebSite XSS vulnerability through HTTP referer header

VisNetic WebSite XSS vulnerability through HTTP referer header

by Nikola Strahija on December 12th, 2002 A Cross Site Scripting vulnerability exists when requesting a non-existent web page from VisNetic WebSite pro and injecting a malicious script in the HTTP 'Referer' header.


=> Author: Ory Segal - Sanctum inc. http://www.sanctuminc.com/

=> Release date: 09/12/2002

=> Vendor: Deerfield ( http://www.deerfield.com )

The following products were found to be vulnerable:

VisNetic WebSite 3.5.13.1

=> Severity: High

=> Impact: Loss of privacy - user cookies associated with the target
site may
be stolen in some cases.

=> CVE candidate: Not assigned yet.

=> Summary: A Cross Site Scripting vulnerability exists when requesting a
non-existent web page from VisNetic WebSite pro and injecting a malicious
script in the HTTP 'Referer' header.

=> Description: VisNetic WebSite server, will return a customized 404
page when
a requested page does not exist. This customized 404 page contains a
link to the
last visited web page, and by clicking on the link the user is
redirected back to where
he/she came from. This link, is created by using the data in the HTTP
'Referer' header,
which is sent automatically by the web browser. By requesting a
non-existent page, and
changing the HTTP 'Referer' header to contain malicious Javascript code,
an attacker may
force the application to return the JavaScript code to the web browser,
where it will
be executed.

=> Example Exploit: The following request will return a JavaScript
pop-up screen:

GET /NonExistentPage.html HTTP/1.0
Host: TARGET
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Referer: ">

=> Fix: The new version of VisNetic WebSite (3.5.15) solves this
problem. You can download it from:
http://www.deerfield.com/products/visnetic_website/

=> Note: This XSS vulnerability (and many others) can be tested with
Sanctum's
web application security scanner, AppScan.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »