In article <3DCC12EC.000005.12196@ariel.yandex.ru>, euronymous wrote: >=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::= >topic: Zeus Admin Server v4.1r2 index.fcgi XSS bug >product: Zeus Admin Server v4.1r2 for linux/x86 >vendor: http://www.zeus.co.uk >risk: very low (authorisation required) >date: 11/8/2k2 >discovered by: euronymous /F0KP /HACKRU Team >advisory urls: http://f0kp.iplus.ru/bz/007.txt > http://xakep.host.sk/bz/007.txt >=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::= > >description >----------- >in default Zeus installation, you can to access >management interface via http://hostname:9090. > >[you have to enter correct login/password here] > >there is some general script, that contain xss bug. >btw, default management login is `admin'.. > >sample attack >------------- >http://hostname:9090/apps/web/index.fcgi?servers= >§ion=<script>alert(document.cookie)</script> > >[it must be in a single string] Zeus Technology, 21st November 2002. "Zeus Admin Server v4.1r2 index.fcgi XSS bug" vendor response. On November 9th 2002, a cross-site-scripting attack against the Zeus Administration Server was reported on bugtraq (incident "Zeus Admin Server v4.1r2 index.fcgi XSS bug"). Zeus Technology has investigated this report and confirm that a harmless cross-site-scripting exploit is possible under very limited conditions. If an attacker tricked a Zeus Administrator into following a carefully constructed link when logged into the Administration Server, the attacker could retrieve a list of group names, and monitored variable names and machines. This information is not security-sensitive. Zeus Technology agree with the reporter's assessment that the risk is 'very low'. This vulnerability is present in Zeus Web Server 4.0 and 4.1. It has been resolved in Zeus Web Server 4.1r5 (released 19th Nov. 2002) and Zeus Web Server 4.2 (released 21st Nov. 2002). More details This exploit can be used to retrieve any information stored in cookies by the Zeus Administration Server. To mount an attack, an attacker must have prior knowledge of the host and port that the Administration Server is running on, and must trick a Zeus Administrator into following a carefully constructed link when logged into the Administration Server. The Zeus Administration Server uses cookies to record several items of transient state: the state of the folding list of groups of virtual servers, and the list of currently monitored variables and machines if real-time monitoring is in place. It does not use cookies to store any security-sensitive information, such as usernames or passwords. Zeus Technology continue to advise that the Administration Server is shut down when not in use as a matter of routine. Zeus Technology do not believe that this vulnerability is serious enough to merit upgrading to versions 4.1r5 or 4.2. Zeus Technology work closely with customers, evaluators, security professionals and other researchers to ensure its products are secure and free from defects. Any security-related comments received at support@zeus.com, or through any other means are treated with the utmost attention. Zeus Technology regret that the researcher who discovered this exploit did not make any attempt to contact the vendor at any time. [Apologies for the delay in getting this reply to bugtraq.] Regards, -- Colin Watson, <colinw@zeus.com> Zeus Technology Ltd Software Engineer Universally Serving the Net Tel:+44(0)1223 525000 Fax:+44(0)1223 525100 http://www.zeus.com/ Zeus House, Cowley Road, Cambridge, CB4 0ZT, ENGLAND
