AOH :: HP Unsorted V :: TB13390.HTM

VTLS.web.gateway cgi is vulnerable to XSS



VTLS.web.gateway cgi is vulnerable to XSS
VTLS.web.gateway cgi is vulnerable to XSS



============================================INTERNET SECURITY AUDITORS ALERT 2006-004
- Original release date: April 18, 2006
- Last revised: November 13, 2007
- Discovered by: Jesus Olmos Gonzalez
- Severity: 1/5
============================================
I. VULNERABILITY
-------------------------
VTLS.web.gateway cgi is vulnerable to XSS

II. BACKGROUND
-------------------------
vtls.web.gateway cgi is a product from Visionary Technology in Library
Solutions.

VTLS Inc. is a leading global company that creates and provides
visionary technology in library solutions.

The company provide these solutions to a diverse customer base of more
than 900 libraries in over 32 countries.

III. DESCRIPTION
-------------------------
VTLS is vulnerable to a cross site scripting attack, it is possible to
execue html and javascript code in the browser of who cliks in a
malicious crafted link.

Here is a simple proof of concept that change html page as example. An
attacker could intercept the keyboard, or make CSRF to submit a form
of other page.

IV. PROOF OF CONCEPT
-------------------------
http://somevtlsweb.net/cgi-bin/vtls/vtls.web.gateway?authority=1&searchtype=subject%22%3E%3Ch1%3E%3Cmarquee%3EXSS%20bug%3C/marquee%3E%3C/h1%3E%3C!--&kind=ns&conf=080104+++++++ 

VI. SYSTEMS AFFECTED
-------------------------
All with this solution up to 48.1.0

VII. SOLUTION
-------------------------
Update to Version 48.1.1

VII. SOLUTION
-------------------------
Update to Version 48.1.1

VIII. REFERENCES
-------------------------
www.vtls.com 

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported by
Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
April     18, 2006: Initial release.
November  13, 2007: Last revision.

XI. DISCLOSURE TIMELINE
-------------------------
February  27, 2006: The vulnerability discovered by
                    Internet Security Auditors.
April     18, 2006: Initial vendor notification sent.
                    No response
April     26, 2006: Second vendor notification sent.
                    Ping pong responses.
September 14, 2006: Third vendor notification sent.
                    No response.
December  01, 2006: Fourth vendor notification sent.
                    No response.
December  04, 2006: New patch coming.
                    No schedule.
January   02, 2007: Fifth vendor contact to ask for planning.
                    No response.
January   22, 2007: Sixth vendor contact to ask for planning.
                    Scheduled.
March     23, 2007: Seventh vendor contact to ask for planning.
                    Re-Scheduled.
May       22, 2007: Eigth vendor contact to ask for planning.
                    Re-Scheduled.
October   01, 2007: Nineth vendor contact to ask for planning.
                    Patch will be published in October.
November  09, 2007: Tenth. Version 48.1.1 has been approved for
                    general release and published.
November  13, 2007: Advisory Published.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors, S.L. accepts no responsibility for any
damage caused by the use or misuse of this information.

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.