[ISecAuditors Security Advisories] VTLS.web.gateway cgi is vulnerable to XSS

[ISecAuditors Security Advisories <advisories@xxxxxxxxxxxxxxxx>]

=============================================
INTERNET SECURITY AUDITORS ALERT 2006-004
- Original release date: April 18, 2006
- Last revised: November 13, 2007
- Discovered by: Jesus Olmos Gonzalez
- Severity: 1/5
=============================================

I. VULNERABILITY
-------------------------
VTLS.web.gateway cgi is vulnerable to XSS

II. BACKGROUND
-------------------------
vtls.web.gateway cgi is a product from Visionary Technology in Library
Solutions.

VTLS Inc. is a leading global company that creates and provides
visionary technology in library solutions.

The company provide these solutions to a diverse customer base of more
than 900 libraries in over 32 countries.

III. DESCRIPTION
-------------------------
VTLS is vulnerable to a cross site scripting attack, it is possible to
execue html and javascript code in the browser of who cliks in a
malicious crafted link.

Here is a simple proof of concept that change html page as example. An
attacker could intercept the keyboard, or make CSRF to submit a form
of other page.

IV. PROOF OF CONCEPT
-------------------------
http://somevtlsweb.net/cgi-bin/vtls/vtls.web.gateway?authority=1&searchtype=subject%22%3E%3Ch1%3E%3Cmarquee%3EXSS%20bug%3C/marquee%3E%3C/h1%3E%3C!--&kind=ns&conf=080104+++++++

VI. SYSTEMS AFFECTED
-------------------------
All with this solution up to 48.1.0

VII. SOLUTION
-------------------------
Update to Version 48.1.1

VII. SOLUTION
-------------------------
Update to Version 48.1.1

VIII. REFERENCES
-------------------------
www.vtls.com

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported by
Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
April     18, 2006: Initial release.
November  13, 2007: Last revision.

XI. DISCLOSURE TIMELINE
-------------------------
February  27, 2006: The vulnerability discovered by
                    Internet Security Auditors.
April     18, 2006: Initial vendor notification sent.
                    No response
April     26, 2006: Second vendor notification sent.
                    Ping pong responses.
September 14, 2006: Third vendor notification sent.
                    No response.
December  01, 2006: Fourth vendor notification sent.
                    No response.
December  04, 2006: New patch coming.
                    No schedule.
January   02, 2007: Fifth vendor contact to ask for planning.
                    No response.
January   22, 2007: Sixth vendor contact to ask for planning.
                    Scheduled.
March     23, 2007: Seventh vendor contact to ask for planning.
                    Re-Scheduled.
May       22, 2007: Eigth vendor contact to ask for planning.
                    Re-Scheduled.
October   01, 2007: Nineth vendor contact to ask for planning.
                    Patch will be published in October.
November  09, 2007: Tenth. Version 48.1.1 has been approved for
                    general release and published.
November  13, 2007: Advisory Published.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors, S.L. accepts no responsibility for any
damage caused by the use or misuse of this information.