Info

Disclosure

Jul 15, 2004

Discovery

Unknown

Dates

Exploit

Jul 15, 2004

Solution

Unknown

Description

Gattaca Server 2003 contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the TEMPLATE and LANGUAGE variables upon submission to the web.tmpl script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
Disclosure: Vendor Verified
OSVDB: Web Related

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

GeeOS Team

Gattaca Server

1.1.10.0

References

Security Tracker: 1010703
Bugtraq ID: 10731
Secunia Advisory ID: 12071
ISS X-Force ID: 16701
CVE ID: 2004-2522 (see also: NVD)
Related OSVDB ID: 7922 7923 7924 7925 7926
Other Advisory URL: http://members.lycos.co.uk/r34ct/main/Gattaca%20Server%202003.txt
Vendor Specific News/Changelog Entry: http://www.gattaca-server.com/cgi-bin/yabb/YaBB.pl?board=gattaca_discussion;action=display;num=1091194176;start=0#0

Credit

Dr_insane - dr_insanepathfinder.gr - Personal Page

Direct URL: http://osvdb.org/7927