Google Urchin password theft madness

2007.09.27
Credit: pagvac
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2007-5112
CWE: CWE-79


Ogólna skala CVSS: 4.3/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 8.6/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Nie wymagana
Wpływ na poufność: Brak
Wpływ na integralność: Częściowy
Wpływ na dostępność: Brak

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 There is a trivially exploitable XSS vul on Google Urchin Web Analytics 5's login page. The vulnerability has been tested on versions 5.6.00r2, v5.7.01, 5.7.02 and 5.7.03 (latest). Previous versions are most likely to be affected as well. I know that you're sick of XSS PoCs that only open alert boxes. So I crafted a exploit URL that will steal the victim's username and password by simply clicking on it: http://www.gnucitizen.org/blog/google-urchin-password-theft-madness PS: demo video included! - -- pagvac [http://gnucitizen.org, http://ikwt.com/] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) iD8DBQFG9//fjXB4hX6OC/cRAnchAJ4k9U4i8ZW1Cf8CjbNuivYlCHqjCQCeIVyj oZ2fz06792VVGEkfpPwjCMs= =Uz1y -----END PGP SIGNATURE-----


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top