Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: bt1031.txt

Escapade Scripting Engine XSS Vulnerability and Path Disclosure

Escapade Scripting Engine XSS Vulnerability and Path Disclosure

Published: 9 September 2003

Released: 9 September 2003

Affected Systems: Escapade Scripting Engine

Vendor: ,

Issue: Remote attackers can inject XSS script and know the path of the 




Escapade, or ESP for short, is a server-side scripting language that 

provides an interface to back-end database contents. Specifically 

designed to create dynamic information from this data, Escapade can be 

used to generate any kind of document - HTML, XML, text, and more. 

While server-side scripting is not a new concept, ESP is a breakthrough 

product that will enable programmers to much more easily have access to 

data in databases in their web pages without having to resort to ASP or 

complicated back-end Perl or PHP scripts. 



It's possibile to inject XSS script in the method variable. 



It's possible to make a malformed http request for many variables in 

Escapade and in doing so trigger an error. The resulting error message 


disclose potentially sensitive installation path information to the 

remote attacker. 




The vendor has been contacted and a patch is not yet produced.



Filter the method variable (xss problem), filter all variables. 

Discovered by / credit:


Bahaa Naamneh

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH