Remotely Anywhere Message Injection Vulnerability ================================================= In addition to http://www.securityfocus.com/bid/9120 i found that it is possible to inject a message into the login page of Remotely Anywhere. Its not a XSS attack, because there is no directly executed script code, even if a msg-box pops up containing the injected message (have a look at http://www.oliverkarow.de/research/ra.jpg for a screenshot). Exploiting: =========== https://host:2000/default.html?logout=asdf&reason=Please%20set%20your%20password%20to%20ABC123%20after%20login Vulnerable: =========== This vuln. was tested on "Remotely Anywhere Enterprise Edition" Discovered by: ============== oliver.karow_gmx.de www.oliverkarow.de -- +++ GMX - die erste Adresse für Mail, Message, More +++ Neu: Preissenkung für MMS und FreeMMS! http://www.gmx.net
