[VIM] Source code verification of DVBBS XSS in showerr.asp/action
Steven M. Christey
coley at mitre.org
Tue Jul 19 15:44:40 EDT 2005
Refs: CAN-2005-2318, BID:14223
Issue: XSS in DVBBS 7.1 via action parameter of showerr.asp
While trying to find more information on this issue, I accidentally
ran across a couple showerr.asp source files that were being served
unparsed on various sites.
Source code review shows that the action parameter is not quoted. I
haven't done a live test.
[5] action=Request("action")
...
[14]Select Case action
[15] Case "stop"'ÂÛ̳ÔÝÍ£
[56] Case "iplock"'IP±»ÏÞ
[65] Case "limitedonline"'ÔÚÏß±»ÏÞ
[71] Case "OtherErr"
[90] Case "readonly"
[132] Case "lock"
[142] Case "plus"
...
[158] Case Else
...
[165] template.html(0)=Replace(template.html(0),"{$action}",action)
If the action parameter has XSS in it, then the code would fall
through to the "Case Else" and its value would be directly inserted
into the template.
A quick glance suggests that there may be some other XSS issues as
well.
- Steve
More information about the VIM
mailing list