[ISecAuditors Security Advisories] VTLS.web.gateway cgi is vulnerable to XSS
=============================================
INTERNET SECURITY AUDITORS ALERT 2006-004
- Original release date: April 18, 2006
- Last revised: November 13, 2007
- Discovered by: Jesus Olmos Gonzalez
- Severity: 1/5
=============================================
I. VULNERABILITY
-------------------------
VTLS.web.gateway cgi is vulnerable to XSS
II. BACKGROUND
-------------------------
vtls.web.gateway cgi is a product from Visionary Technology in Library
Solutions.
VTLS Inc. is a leading global company that creates and provides
visionary technology in library solutions.
The company provide these solutions to a diverse customer base of more
than 900 libraries in over 32 countries.
III. DESCRIPTION
-------------------------
VTLS is vulnerable to a cross site scripting attack, it is possible to
execue html and javascript code in the browser of who cliks in a
malicious crafted link.
Here is a simple proof of concept that change html page as example. An
attacker could intercept the keyboard, or make CSRF to submit a form
of other page.
IV. PROOF OF CONCEPT
-------------------------
http://somevtlsweb.net/cgi-bin/vtls/vtls.web.gateway?authority=1&searchtype=subject%22%3E%3Ch1%3E%3Cmarquee%3EXSS%20bug%3C/marquee%3E%3C/h1%3E%3C!--&kind=ns&conf=080104+++++++
VI. SYSTEMS AFFECTED
-------------------------
All with this solution up to 48.1.0
VII. SOLUTION
-------------------------
Update to Version 48.1.1
VII. SOLUTION
-------------------------
Update to Version 48.1.1
VIII. REFERENCES
-------------------------
www.vtls.com
IX. CREDITS
-------------------------
This vulnerability has been discovered and reported by
Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).
X. REVISION HISTORY
-------------------------
April 18, 2006: Initial release.
November 13, 2007: Last revision.
XI. DISCLOSURE TIMELINE
-------------------------
February 27, 2006: The vulnerability discovered by
Internet Security Auditors.
April 18, 2006: Initial vendor notification sent.
No response
April 26, 2006: Second vendor notification sent.
Ping pong responses.
September 14, 2006: Third vendor notification sent.
No response.
December 01, 2006: Fourth vendor notification sent.
No response.
December 04, 2006: New patch coming.
No schedule.
January 02, 2007: Fifth vendor contact to ask for planning.
No response.
January 22, 2007: Sixth vendor contact to ask for planning.
Scheduled.
March 23, 2007: Seventh vendor contact to ask for planning.
Re-Scheduled.
May 22, 2007: Eigth vendor contact to ask for planning.
Re-Scheduled.
October 01, 2007: Nineth vendor contact to ask for planning.
Patch will be published in October.
November 09, 2007: Tenth. Version 48.1.1 has been approved for
general release and published.
November 13, 2007: Advisory Published.
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors, S.L. accepts no responsibility for any
damage caused by the use or misuse of this information.