Cross Site Scripting in Oliver Library Management System

2007.07.11
Credit: A. R.
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

BACKGROUND ========== "Oliver is the web-based Library Management System for Schools. Softlink has built on the understanding of thousands of school clients, over many years, and has designed a new system for school libraries and learning resource centres in the 21st century" -- from http://www.softlink.co.uk: DETAILS ======= During a penetration test for an educational institution, several XSS vulnerabilities were found in their Oliver installations. Due to the test constraints it was not possible to ascertain the exact version of the product, but all instances that have been tested have been found trivially vulnerable Some of the vulnerable input fields include: 1) GET parameters http://www.victim.com/oliver/gateway/gateway.exe?X_=000f&application=Oli ver&displayform=main&updateform="><script>alert("XSS");</script> http://www.victim.com/oliver/gateway/gateway.exe?X_=000f&displayform=mai n"><script>alert("XSS");</script> 2) POST parameters in search forms In the Basic Search page, the following parameters are vulnerable: - TERMS - database - srchad - SuggestedSearch - searchform As a Proof-Of-Concept exploit, the following string can be appended to any of the listed parameters: "><script>alert("xss");</script> 3) Username login field: The application also fails to properly filter the username parameter, as can be seen when passing to the application the following string as username: --><script>alert("xss")</script> VENDOR RESPONSE =============== 15/06/2007 Vendor contacted. No response received 25/06/2007 Vendor contacted for the second time. No response received 03/07/2007 Advisory published


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2023, cxsecurity.com

 

Back to Top