|
- -- ------------------------- -- - [>(] AngryPacket Security Advisory [>(] - -- ------------------------- -- - +--------------------- -- - + advisory information +------------------ -- - author: methodic <methodic@libpcap.net> release date: 05/21/2003 homepage: http://sec.angrypacket.com advisory id: 0x0005 +-------------------- -- - + product information +----------------- -- - software: Owl Intranet Engine vendor: Chris Vincent homepage: http://owl.sourceforge.net description: "Owl is a multi user document repository (knowledgebase) system written in PHP4 for publishing of files/documents onto the web for a corporation, small buisness, group of people, or just for yourself." +---------------------- -- - + vulnerability details +------------------- -- - problem: Cross-Site Scripting affected: Owl 0.71 and previous versions explaination: Owl doesn't properly filter metacharacters, allowing injection of JavaScript code. Since Owl doesn't assign cookies, and since the JavaScript code is placed before the form tag, you need to reference the first link in order to steal someone's session id. risk: Medium status: Vendor was notified 05/18/03, fix is available. exploit: Type the following into the 'Search' field: <script>alert(document.links[0].href);</script> fix: Upgrade to a newer version of Owl +-------- -- - + credits +----- -- - Bug was found by methodic of AngryPacket security group. gr33tz to victim1.. see j00 in KCMO!@# +----------- -- - + disclaimer +-------- -- - The contents of this advisory are Copyright (c) 2003 AngryPacket Security, and may be distributed freely provided that no fee is charged for distribution and that proper credit is given. As such, AngryPacket Security group, collectively or individually, shall not be held liable or responsible for the misuse of any information contained herein. - -- ------------------------- -- - [>(] AngryPacket Security Advisory [>(] - -- ------------------------- -- -