BASE, a well known Snort Frontend has 3 Persistent Cross Site Scripting Vulnerabilities. For those who don't know, Cross-Site Scripting allows the attacker to inject Javascript to modify the functionality of the webpages. Since this vulnerability exists in BASE, this allows an attacker to drop alerts(all of them or specific alerts), modify user information including passwords, modify the configuration of BASE and many other tasks. The only limitation is the attacker's creativity. The vulnerabilities exist in pages that use the information from 3 different components of BASE including: alert groups, roles and user information. For creating a user, the name field was found to be vulnerable. For the name field, I just injected Javascript and it was rendered! For creating an alert group, we just need to include a closure for the html by using "> and add our Javascript afterwards. This causes the page that loads the name, to close the html and execute our Javascript! This is due to html encoding being used on the page. For creating a role, both the name and the description field were vulnerable. The name field was limited to a specific number of characters. To verify I just injected XSS and verified it rendered properly. The description field was just straight Javascript. Screenshots can be found at: http://www.spl0it.org/blog/index.php?entry=entry090530-212022 Regards, Jabra