Proof of Concept, Stored XSS, SmarterStats 6.2.4100 - Reported May 5, 2011
We further comment the obvious that if an attacker were able to inject Javascript into the Application on Port 9999, Storing the Injection Vulnerability, the attack will execute when Reflected XSS out Port 80 on IIS Server. A well crafted attack can be injected via IIS6 and a PoC for IIS7.5 is under development.
Many Sites use the API exposed via the SmarterTools Web Server on a Public IP Address and/or for Backend Provisioning Systems and then have IIS on Port 80 for Public / End User Access, such as Plesk Control Panel for Windows.
This is the cut and paste from the Helpfile: (Quoting) By default, SmarterStats installs a basic Web server that allows companies to start using the application immediately after installation. However, SmarterTools recommends moving to a more robust and secure Web server, such as Microsoft IIS.
Cross-site scripting (stored) + Cross-site scripting (reflected) SmarterStats 6.x
CVE-2011-4750
Cleartext submission of password - SmarterStats 6.x
CVE-2011-2151
Password field with autocomplete enabled - SmarterStats 6.x
CVE-2011-2155
Cross-domain Referer leakage - SmarterStats 6.x
CVE-2011-4751
Cookie without HttpOnly flag set - SmarterStats 6.x
CVE-2011-2154
Content type incorrectly stated - SmarterStats 6.0
CVE-2011-2158
Content type incorrectly stated - SmarterStats 6.x (6.2.4100)/Client/frmCustomReport.aspx
CVE-2011-4752
No comments:
Post a Comment