=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::= topic: Zeus Admin Server v4.1r2 index.fcgi XSS bug product: Zeus Admin Server v4.1r2 for linux/x86 vendor: http://www.zeus.co.uk risk: very low (authorisation required) date: 11/8/2k2 discovered by: euronymous /F0KP /HACKRU Team advisory urls: http://f0kp.iplus.ru/bz/007.txt http://xakep.host.sk/bz/007.txt =:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::= description ----------- in default Zeus installation, you can to access management interface via http://hostname:9090. [you have to enter correct login/password here] there is some general script, that contain xss bug. btw, default management login is `admin'.. sample attack ------------- http://hostname:9090/apps/web/index.fcgi?servers= §ion=<script>alert(document.cookie)</script> [it must be in a single string] shouts: HACKRU Team, DHG, Spoofed Packet, all russian security guyz fuck_off: slavomira and other dirty ppl in *.kz ================ im not a lame, not yet a hacker ================
