<<< Date Index >>>     <<< Thread Index >>>

Remotely Anywhere Message Injection Vulnerability



Remotely Anywhere Message Injection Vulnerability
=================================================

In addition to http://www.securityfocus.com/bid/9120 i found that it is
possible to inject a message into the login page of Remotely Anywhere.
Its not a XSS attack, because there is no directly executed script code,
even if a msg-box pops up containing the injected message
(have a look at http://www.oliverkarow.de/research/ra.jpg for a
screenshot).


Exploiting:
===========

https://host:2000/default.html?logout=asdf&reason=Please%20set%20your%20password%20to%20ABC123%20after%20login


Vulnerable:
===========

This vuln. was tested on "Remotely Anywhere Enterprise Edition"


Discovered by:
==============

oliver.karow_gmx.de
www.oliverkarow.de

-- 
+++ GMX - die erste Adresse für Mail, Message, More +++
Neu: Preissenkung für MMS und FreeMMS! http://www.gmx.net